[Freeipa-users] Freeipa 4.4 creating users with expiration

[Rakesh Rajasekharan]

Hello,

Am using Freeipa 4.4 version .

I would like to create few users only valid for few days or  months. So,is
there a way to create few users with a preset expiration or auto lock those
accounts after a few days

Thanks
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa hostbased auth "connection closed"

[Rakesh Rajasekharan]

Hi,

I am running a freeipa server version 4.4.0 and have setup hbac rules which
work fine

However, just on one single host , I am seeing this issue wherein it is not
allowing me ssh access.
When I check my hbac permissions.. it say access granted but on trying to
login.. it blocks me

On the Freeipa server
ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd


Access granted: True

  Matched rules: ipa-alluser-access
  Not matched rules: ipa-alluser-sudo-access

On the client I get this message while doing an ssh "Connection closed by
10.0.30.28".

In /var/log/secure I see these messages
Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac
Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for
user p-testhbac: 4 (System error)
Feb  5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from
10.0.4.6 port 40540 ssh2
Feb  5 13:57:41 10 sshd[26692]: fatal: Access denied for user p-testhbac by
PAM account configuration [preauth]

/var/log/sssd/sssd_domain.log I see this error at the end,


(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor]
(0x0400): DP Request [PAM SELinux #13]: Request removed.
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_pam_reply]
(0x1000): DP Request [PAM Account #12]: Sending result [4][mydomain.com]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [child_sig_handler]
(0x1000): Waiting for child [26795].
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [child_sig_handler]
(0x0020): child [26795] failed with status [1].



But few lines above.. I see that I was allowed in by the hbac rule.


 (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [hbac_evaluate]
(0x0100): ALLOWED by rule [ipa-alluser-access].
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [hbac_evaluate]
(0x0100): hbac_evaluate() >]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
[ipa-alluser-access]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_done] (0x0400):
DP Request [PAM Account #12]: Request handler finished [0]: Success
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [_dp_req_recv]
(0x0400): DP Request [PAM Account #12]: Receiving request data.
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor]
(0x0400): DP Request [PAM Account #12]: Request removed.I was allowed in
per the HBAC rule


Not sure whats blocking me..


Thanks
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos Clock Skew too great

[Rakesh Rajasekharan]

I was seeing a lot of entries in the krb5kdc.log like below

"krb5kdc[10403](info): TGS_REQ (4 etypes {18 17 16 23}) 10.1.4.219: ISSUE:
authtime 1485450918, etypes {rep=18 tkt=18 ses=18}, host/my-host@MYDOMAIN"

On one env.. where users rarely log in... even there I see a lot of such
requests.


Finally , I think  I was able to track this down..  there are few local
accounts ( non freeipa ) on my hosts . These are used to run some custom
scripts through cron and run frequently ( every few mins ).
So, I feel  whenever thers a request for "su - " or a sudo to
the local user, that would also end up calling the Kerbros service.. and
since it runs so frequently on all the hosts.. they would be choking the
IPA master / replica with so many requests..

Please correct me If I am wrong in the above assumption.

Going by the above logic.. I have added filter_users section with these
users in the sssd.conf . Hopefully I would see a drop in the number of
requests




On Mon, Jan 23, 2017 at 11:27 PM, Robbie Harwood <rharw...@redhat.com>
wrote:

> Rakesh Rajasekharan <rakesh.rajasekha...@gmail.com> writes:
>
> > one more question I was curious is.. when does the krb5kdc.log get
> entries
> > . .. I mean is it only when someone makes an attempt to login to a server
> > that the log file  krb5kdc.log on the IPA master gets updated or there
> are
> > other scenarios as well
>
> It's controlled by /etc/kdc.conf ; take a look at the "[logging]" section
> in
> `man 5 kdc.conf` for more information.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos Clock Skew too great

[Rakesh Rajasekharan]

thanks for the inputs..


one more question I was curious is.. when does the krb5kdc.log get entries
. .. I mean is it only when someone makes an attempt to login to a server
that the log file  krb5kdc.log on the IPA master gets updated or there are
other scenarios as well

Thanks
Rakesh

On Fri, Jan 20, 2017 at 3:09 AM, Robbie Harwood <rharw...@redhat.com> wrote:

> Rakesh Rajasekharan <rakesh.rajasekha...@gmail.com> writes:
>
> >> Great, glad it's fixed!  Are these VMs?  If not, you may wish to
> >> (re?)configure automatic syncing.
> >
> > yes these are AWS instances. How do I reconfigure auto syncing . Is
> > there a documentation I can follow.
>
> During install of the IPA server, it will set up an NTP server (unless
> you ask it not to).  During enrollment of each IPA client, it will
> configure NTP against that server (unless you ask it not to).  Disabling
> it is the -N flag in both cases.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa replica info to clents: guidance

[Rakesh Rajasekharan]

thanks Matrix.. I will add this option to my config params

Regards,
Rakesh

On Sat, Jan 21, 2017 at 7:17 PM, Matrix <matrix...@qq.com> wrote:

> Hi, Rakesh
>
> Try 'ipa-client-install' with this option '--fixed-primary'. with it,
> '_srv_' will disappeared
>
> From man page:
>--fixed-primary
>   Configure  SSSD  to use a fixed server as the primary IPA
> server. The default is to
>   use DNS SRV records to determine the primary server to use
> and  fall  back  to  the
>   server  the client is enrolled with. When used in
> conjunction with --server then no
>   _srv_ value is set in the ipa_server option in sssd.conf.
>
> Matrix
> ------ Original --
> *From: * "Rakesh Rajasekharan";<rakesh.rajasekha...@gmail.com>;
> *Date: * Sat, Jan 21, 2017 10:09 PM
> *To: * "Matrix"<matrix...@qq.com>;
> *Cc: * "freeipa-users"<freeipa-users@redhat.com>;
> *Subject: * Re: [Freeipa-users] Freeipa replica info to clents: guidance
>
> Thanks Matrix.. for the inputs..
>
> > Firstly, '_srv_' means clients will find out which servers will be
> connected with by dns srv records. In your explanation, DNS did not
> configure in your env.
>
> After running the ipa-client, the _srv_ was automatically added . The
> configs options I passed for configuring the host as a IPA client is
>
> ipa-client-install --domain=mydomain.com --server=ipa-master-int.
> mydomain.com --realm=MYDOMAIN.COM -p admin --password=mypass --mkhomedir
> --hostname=first-client-int.mydomain.com --no-ssh --no-sshd -N -f -U
>
>
> While configuring  IPA server , I did not pass the setup-dns options.(
> that avoids setting up the dns server I assume )
>
>
> ipa-server-install -r 'MYDOMAIN.COM' -n 'mydomain.com' -p mypass -P
> mypass -a mypass --hostname=ipa-master-int.mydomain.com -N -U
>
> So, I did not explicitly specify the _srv_ options. However, this has been
> working fine till now.
>
>
> > Secondly, 'replica' key words ? I can not find it from man pages of
> sssd-ipa. is it really working fine?
> sorry that was a typo from my side .
> Its actually
> ipa_server = _srv_, ipa-master-mydomain.com, ipa-replica-mydomain.com.
>
> > So, I suggested to configure it in this way:
> > ipa_server = 
> > ipa_backup_server = 
>
> > For another half clients,
> > ipa_server = 
> > ipa_backup_server = 
>
> I will try this out.. probably I can safely leave out _srv_
>
> Thanks
> Rakesh
>
> On Sat, Jan 21, 2017 at 6:10 PM, Matrix <matrix...@qq.com> wrote:
>
>> For my understanding, there is something wrong with your configuration
>>
>> >> ipa_server = _srv_, ipa-master-mydomain.com, repilca
>> ipa-replica-mydomain.com
>>
>> Firstly, '_srv_' means clients will find out which servers will be
>> connected with by dns srv records. In your explanation, DNS did not
>> configure in your env.
>>
>> Secondly, 'replica' key words ? I can not find it from man pages of
>> sssd-ipa. is it really working fine?
>>
>> >>Also, can I define priority based on the order in which the IPA servers
>> are defined in
>> >>ipa_server = _srv_ ,,
>>
>> your understanding is correct. server priority is based on sequence in
>> conf file. There is a problem for this configuration. Once 'ipa1' failed,
>> all id lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was
>> back, all clients will be sticky on 'ipa2'
>>
>> So, I suggested to configure it in this way:
>> ipa_server = 
>> ipa_backup_server = 
>>
>> For another half clients,
>> ipa_server = 
>> ipa_backup_server = 
>>
>> Matrix
>>
>> -- Original --
>> *From: * "Rakesh Rajasekharan";<rakesh.rajasekha...@gmail.com>;
>> *Date: * Sat, Jan 21, 2017 08:25 PM
>> *To: * "freeipa-users"<freeipa-users@redhat.com>;
>> *Subject: * [Freeipa-users] Freeipa replica info to clents: guidance
>>
>> Hi,
>>
>> My Freeipa setup is on AWS ec2 instances and has been working fine with
>> just one master for a while now.
>>
>> I am now trying to setup replica servers which, I was able to and the
>> replication between both masters go fine.
>>
>> So, I have a master serer ipa-master-mydomain.com and repilca
>> ipa-replica-mydomain.com
>>
>> I am not using DNS and rely on AWS for DNS resolution instead.
>>
>> My question is , how do I tell clients about the new replica server .
>>
>> I tried an ent

Re: [Freeipa-users] Freeipa replica info to clents: guidance

[Rakesh Rajasekharan]

Thanks Matrix.. for the inputs..

> Firstly, '_srv_' means clients will find out which servers will be
connected with by dns srv records. In your explanation, DNS did not
configure in your env.

After running the ipa-client, the _srv_ was automatically added . The
configs options I passed for configuring the host as a IPA client is

ipa-client-install --domain=mydomain.com --server=
ipa-master-int.mydomain.com --realm=MYDOMAIN.COM -p admin --password=mypass
--mkhomedir --hostname=first-client-int.mydomain.com --no-ssh --no-sshd -N
-f -U


While configuring  IPA server , I did not pass the setup-dns options.( that
avoids setting up the dns server I assume )


ipa-server-install -r 'MYDOMAIN.COM' -n 'mydomain.com' -p mypass -P mypass
-a mypass --hostname=ipa-master-int.mydomain.com -N -U

So, I did not explicitly specify the _srv_ options. However, this has been
working fine till now.


> Secondly, 'replica' key words ? I can not find it from man pages of
sssd-ipa. is it really working fine?
sorry that was a typo from my side .
Its actually
ipa_server = _srv_, ipa-master-mydomain.com, ipa-replica-mydomain.com.

> So, I suggested to configure it in this way:
> ipa_server = 
> ipa_backup_server = 

> For another half clients,
> ipa_server = 
> ipa_backup_server = 

I will try this out.. probably I can safely leave out _srv_

Thanks
Rakesh

On Sat, Jan 21, 2017 at 6:10 PM, Matrix <matrix...@qq.com> wrote:

> For my understanding, there is something wrong with your configuration
>
> >> ipa_server = _srv_, ipa-master-mydomain.com, repilca
> ipa-replica-mydomain.com
>
> Firstly, '_srv_' means clients will find out which servers will be
> connected with by dns srv records. In your explanation, DNS did not
> configure in your env.
>
> Secondly, 'replica' key words ? I can not find it from man pages of
> sssd-ipa. is it really working fine?
>
> >>Also, can I define priority based on the order in which the IPA servers
> are defined in
> >>ipa_server = _srv_ ,,
>
> your understanding is correct. server priority is based on sequence in
> conf file. There is a problem for this configuration. Once 'ipa1' failed,
> all id lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was
> back, all clients will be sticky on 'ipa2'
>
> So, I suggested to configure it in this way:
> ipa_server = 
> ipa_backup_server = 
>
> For another half clients,
> ipa_server = 
> ipa_backup_server = 
>
> Matrix
>
> -- Original --
> *From: * "Rakesh Rajasekharan";<rakesh.rajasekha...@gmail.com>;
> *Date: * Sat, Jan 21, 2017 08:25 PM
> *To: * "freeipa-users"<freeipa-users@redhat.com>;
> *Subject: * [Freeipa-users] Freeipa replica info to clents: guidance
>
> Hi,
>
> My Freeipa setup is on AWS ec2 instances and has been working fine with
> just one master for a while now.
>
> I am now trying to setup replica servers which, I was able to and the
> replication between both masters go fine.
>
> So, I have a master serer ipa-master-mydomain.com and repilca
> ipa-replica-mydomain.com
>
> I am not using DNS and rely on AWS for DNS resolution instead.
>
> My question is , how do I tell clients about the new replica server .
>
> I tried an entry in the sssd.conf domain section of the clients
>
>
> id_provider = ipa
> auth_provider = ipa
> ipa_server = _srv_, ipa-master-mydomain.com, repilca
> ipa-replica-mydomain.com
>
>
> This approach works fine and clients reach out to the replica as a
> failover. However, wanted to verify if this is the correct way.
>
> Also, can I define priority based on the order in which the IPA servers
> are defined in
> ipa_server = _srv_ ,,
>
> If the above assumption is right, I could have half of my clients connect
> to master always and rest to the replica that way balancing the load.
>
>
> Thanks
> Rakesh
>
>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Freeipa replica info to clents: guidance

[Rakesh Rajasekharan]

Hi,

My Freeipa setup is on AWS ec2 instances and has been working fine with
just one master for a while now.

I am now trying to setup replica servers which, I was able to and the
replication between both masters go fine.

So, I have a master serer ipa-master-mydomain.com and repilca
ipa-replica-mydomain.com

I am not using DNS and rely on AWS for DNS resolution instead.

My question is , how do I tell clients about the new replica server .

I tried an entry in the sssd.conf domain section of the clients


id_provider = ipa
auth_provider = ipa
ipa_server = _srv_, ipa-master-mydomain.com, repilca
ipa-replica-mydomain.com


This approach works fine and clients reach out to the replica as a
failover. However, wanted to verify if this is the correct way.

Also, can I define priority based on the order in which the IPA servers are
defined in
ipa_server = _srv_ ,,

If the above assumption is right, I could have half of my clients connect
to master always and rest to the replica that way balancing the load.


Thanks
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos Clock Skew too great

[Rakesh Rajasekharan]

Hi There,

Sorry could not get back on this  earlier,

> Great, glad it's fixed!  Are these VMs?  If not, you may wish to
> (re?)configure automatic syncing.
 yes these are AWS instances. How do  I reconfigure auto syncing . Is there
a documentation I can follow.
Sorry, haven't done this before and not much info on that part


Apart from this , I also have a correlation between the "Clock skew" issue
and an earlier issue that I posted in another thread.
Basically , noticed that whenver I see clock skew errors, I see a lot of
connections in SYNC_RECV state.

this is the list of SYNC_RECV connections

tcp0  0 10.0.8.45:88   10.0.30.49:42695SYN_RECV
tcp0  0 10.0.8.45:88   10.0.15.72:44991SYN_RECV
tcp0  0 10.0.8.45:88   10.0.2.82:53265 SYN_RECV
tcp0  0 10.0.8.45:88   10.0.31.253:57682   SYN_RECV
tcp0  0 10.0.8.45:88   10.0.34.208:53488   SYN_RECV
tcp0  0 10.0.8.45:88   10.0.27.17:47245SYN_RECV
tcp0  0 10.0.8.45:88   10.0.17.53:54504SYN_RECV
tcp0  0 10.0.8.45:88   10.0.24.78:47796SYN_RECV
tcp0  0 10.0.8.45:88   10.0.4.246:33607SYN_RECV
tcp0  0 10.0.8.45:88   10.0.27.91:34190SYN_RECV
tcp0  0 10.0.8.45:88   10.0.27.248:38012   SYN_RECV
tcp0  0 10.0.8.45:88   10.0.15.139:51319   SYN_RECV
tcp0  0 10.0.8.45:88   10.0.15.175:41188   SYN_RECV


Thanks,
Rakesh



On Tue, Jan 10, 2017 at 12:48 AM, Robbie Harwood <rharw...@redhat.com>
wrote:

> Rakesh Rajasekharan <rakesh.rajasekha...@gmail.com> writes:
>
> > There were about 1500 hosts that were alerting for "clock skew" and the
> > issue went away only after I did a resync using ntpdate on all those
> hosts
>
> Great, glad it's fixed!  Are these VMs?  If not, you may wish to
> (re?)configure automatic syncing.
>
> > Is it possible that so many higher number of minor offsets adds up and
> > causes it. Coz from the individual offset it looks much below the 5min
> limit
>
> Not as such, if I understand you correctly?  This should only be a
> problem between any two machines that need to communicate (including the
> freeipa KDC).
>
> > Or, is there a way to tell whats the offset limit its actually looking
> for.
>
> 5 minutes almost certainly.  The parameter to configure it is
> "clockskew" in the config files, but I don't think IPA touches that.
>
> Hope that helps,
> --Robbie
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos Clock Skew too great

[Rakesh Rajasekharan]

yes on the IPA server as well.. the offset isn't that high

 remote   refid  st t when poll reach   delay   offset
jitter
==
*ip-10-10-1-150.e 132.163.4.1012 u  119  128  3770.431   -0.279
0.348

So, my NTP server, the ipa client and the IPA master.. all seems to not
have a high offset or a jitter.

There were about 1500 hosts that were alerting for "clock skew" and the
issue went away only after I did a resync using ntpdate on all those hosts

Is it possible that so many higher number of minor offsets adds up and
causes it. Coz from the individual offset it looks much below the 5min limit

Or, is there a way to tell whats the offset limit its actually looking for.

Thanks,
Rakesh



On Mon, Jan 9, 2017 at 1:42 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Mon, Jan 09, 2017 at 01:07:06PM +0530, Rakesh Rajasekharan wrote:
> > Hi,
> >
> > I am using a Freeipa 4.2.0 server.
> >
> > I sometimes see, "clock skew too great" errors in /var/log/krb5kdc.log.
> And
> > when this happens, usually logins or new ipa-cleint-install fails.
> >
> > When I checked on one of the hosts for which the clock skew was reported,
> >
> > #> ntpq -p
> > remote   refid  st t when poll reach   delay   offset
> > jitter
> > 
> ==
> > *ip-10-10-1-150.e 171.66.97.1262 u  869 1024  3770.4480.047
> > 0.142
>
> In general, 5 minutes is OK at least. But are you sure the server is also
> in sync or just the client against an NTP server (iow, are you sure you
> are checking the difference between a client and the KDC as well?)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Kerberos Clock Skew too great

[Rakesh Rajasekharan]

Hi,

I am using a Freeipa 4.2.0 server.

I sometimes see, "clock skew too great" errors in /var/log/krb5kdc.log. And
when this happens, usually logins or new ipa-cleint-install fails.

When I checked on one of the hosts for which the clock skew was reported,

#> ntpq -p
remote   refid  st t when poll reach   delay   offset
jitter
==
*ip-10-10-1-150.e 171.66.97.1262 u  869 1024  3770.4480.047
0.142


Does the above o/p looks fine interms of the ntp sync

Whats the max sync time difference thats allowed for a client.

Thanks
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Server unwilling to perform error

[Rakesh Rajasekharan]

Hi There,

I am running Freeipa version 4.2.0

I have been noticing that frequently I get this error "ipa: ERROR: Server
is unwilling to perform: Entry permanently locked."
 when I try to run any ipa commands like ipa user-find or user-status

Finally i see that my admin account has been locked and I need to unlock it
manually

I dont see anything in the krb5kdc.log. Are there any other specific logs
that can give me pointers as to what could be going wrong as I see this
almost daily

Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] kinit: admin account getting locked out frequently

[Rakesh Rajasekharan]

Hi All ,

In my FreeIPA setup, I frequently seeing this error "kinit: Clients
credentials have been revoked while getting initial credentials" while i
try "kinit admin"

I have tried decreasing the "--failinterval" and increasing the "--maxfail"
values

However, I still continue to see this error and it does not get unlocked.

I have to manually unlock using "modprinc -unlock ad...@xyz.com"

In the history on the IPA admin server.. I do not see any instances of
"kinit admin" being run.

Is there anything else that I should check to trace the cause of this.


Thanks.

Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fwd: Re: Increase ListenBacklog for httpd

[Rakesh Rajasekharan]

Thanks Robbie for the inputs.. the load should not have been high as I have
around 4000 clients with 160 users which should be manageable

However, I saw a lot of clock skew too great errors in my krb5kdc.log...
however I haven't been able to verify if those were genuine...

Can too many clock skew errors take down the kerberos service..

On Mon, Sep 19, 2016 at 10:15 PM, Robbie Harwood <rharw...@redhat.com>
wrote:

> Rakesh Rajasekharan <rakesh.rajasekha...@gmail.com> writes:
>
> > On Mon, Sep 12, 2016 at 10:13 AM, Rakesh Rajasekharan
> > <rakesh.rajasekha...@gmail.com <mailto:rakesh.rajasekha...@gmail.com>>
> > wrote:
> >
> > sorry I guess I did not put the question correctly
> >
> > I wanted to know .. like we have the ListenBacklog for apache to
> > basically define the number of connections it can handle.. do we
> > have some thing similar for our krb5kdc service.. as the SYN floodin
> > at 88 looks like krb5kdc service is not able to handle sudden spurt
> > in connections or the number of connections are more than it could
> > handle..
> >
> > So, would be great if I could know how many connection it can
> > support at any given time ..most of the times I see this error while
> > i add clients to IPA master.. so if thers a known limit , I could
> > first check netstat to see how many connections I have at any point
> > and if its below the limit only then setup ipa-client-install
>
> We intentionally do not have such a parameter in krb5.  We call
> listen(5) internally, but please note this is probably not the parameter
> you want to be able to tune.
>
> The listen() backlog is the number of connections that are waiting to be
> accept()ed by the process.  They sit in the kernel, not receiving
> SYNACK.  This number does not count connections that the process - here
> krb5kdc - has accept()ed and is currently processing.
>
> If you're truly seeing connections faster than they can be accept()ed,
> you have a load problem that tuning this parameter likely won't fix.
> You should probably configure replicas: krb5 will fall back if the
> connection is refused from one kdc to the next configured one.  This
> will result in faster operation for your users than waiting on an
> enormous listen() backlog will as well.
>
> A tunable for the listen value may be added in the future, but is not
> available at the present time.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Freeipa 4.2.0 slow response

[Rakesh Rajasekharan]

Hi,

I am experiencing a very slow response from freeipa.. the new passwords
that I am resetting are never working for the users and its takes a lot of
time for an existing user to login around 25 secs.

doing a kinit admin itself is very slowKRB5_TRACE=/dev/stderr kinit admin
[11298] 1473702491.60880: Getting initial credentials for ad...@xyz.com
[11298] 1473702491.62981: Sending request (167 bytes) to XYZ.COM
[11298] 1473702491.63119: Initiating TCP connection to stream 10.1.3.35:88
[11298] 1473702491.63359: Sending TCP request to stream 10.1.3.35:88
[11298] 1473702493.797835: Received answer (341 bytes) from stream
10.1.3.35:88
[11298] 1473702493.797848: Terminating TCP connection to stream 10.1.3.35:88
[11298] 1473702493.797911: Response was from master KDC
[11298] 1473702493.797956: Received error from KDC: -1765328359/Additional
pre-authentication required
[11298] 1473702493.797993: Processing preauth types: 136, 19, 2, 133
[11298] 1473702493.798005: Selected etype info: etype aes256-cts, salt
"V@Cbu147E#1;R0WD", params ""
[11298] 1473702493.798009: Received cookie: MIT
Password for ad...@xyz.com:
[11298] 1473702498.190064: AS key obtained for encrypted timestamp:
aes256-cts/2C9D
[11298] 1473702498.190109: Encrypted timestamp (for 1473702498.184527):
plain 301AA011180F32303136303931323137343831385AA105020302D0CF, encrypted
25FC8D37EFB6B7837C8D5C6649DFB9972010D40EE29D1222FBA45CAA98428E42C7FCC9B7FE881A04BD3390A6A9EDE9D2D93729FDF3E47B6D
[11298] 1473702498.190129: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[11298] 1473702498.190133: Produced preauth for next request: 133, 2
[11298] 1473702498.190148: Sending request (261 bytes) to XYZ.COM
[11298] 1473702498.190246: Initiating TCP connection to stream 10.1.3.35:88
[11298] 1473702499.191933: Sending initial UDP request to dgram 10.1.3.35:88
[11298] 1473702502.195157: Sending retry UDP request to dgram 10.1.3.35:88
[11298] 1473702507.200405: Sending retry UDP request to dgram 10.1.3.35:88
[11298] 1473702513.226371: Sending TCP request to stream 10.1.3.35:88
[11298] 1473702515.797243: Received answer (730 bytes) from stream
10.1.3.35:88
[11298] 1473702515.797271: Terminating TCP connection to stream 10.1.3.35:88
[11298] 1473702515.797326: Response was from master KDC
[11298] 1473702515.797353: Processing preauth types: 19
[11298] 1473702515.797360: Selected etype info: etype aes256-cts, salt
"V@Cbu147E#1;R0WD", params ""
[11298] 1473702515.797394: Produced preauth for next request: (empty)
[11298] 1473702515.797401: AS key determined by preauth: aes256-cts/2C9D
[11298] 1473702515.797445: Decrypted AS reply; session key is:
aes256-cts/702E
[11298] 1473702515.797460: FAST negotiation: available
[11298] 1473702515.797478: Initializing KEYRING:persistent:0:0 with default
princ ad...@xyz.com
[11298] 1473702515.797534: Storing ad...@xyz.com -> krbtgt/xyz@xyz.com
in KEYRING:persistent:0:0
[11298] 1473702515.797572: Storing config in KEYRING:persistent:0:0 for
krbtgt/xyz@xyz.com: fast_avail: yes
[11298] 1473702515.797585: Storing ad...@xyz.com ->
krb5_ccache_conf_data/fast_avail/krbtgt\/XYZ.COM\@XYZ.COM@X-CACHECONF: in
KEYRING:persistent:0:0
[11298] 1473702515.797631: Storing config in KEYRING:persistent:0:0 for
krbtgt/xyz@xyz.com: pa_type: 2
[11298] 1473702515.797647: Storing ad...@xyz.com ->
krb5_ccache_conf_data/pa_type/krbtgt\/XYZ.COM\@XYZ.COM@X-CACHECONF: in
KEYRING:persistent:0:0

are any pointers as to what could be causing this slowness

Thanks
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Increase ListenBacklog for httpd

[Rakesh Rajasekharan]

can anyone provide some insight on this please.. I have been trying to
debug a hang issues for past few weeks.. and finally foudn that it starts
with this issue when I see a lot of connections in SYN_RECV state.

as it is happening now

netstat shows around 14-16 connectiosn in SYNC_RECV

If I could get some inputs on this , I could have some workaround to
mitigate the issues

Thanks

On Mon, Sep 12, 2016 at 10:13 AM, Rakesh Rajasekharan <
rakesh.rajasekha...@gmail.com> wrote:

> sorry I guess I did not put the question correctly
>
> I wanted to know .. like we have the ListenBacklog for apache to basically
> define the number of connections it can handle.. do we have some thing
> similar for our krb5kdc service.. as the SYN floodin at 88 looks like
> krb5kdc service is not able to handle sudden spurt in connections or the
> number of connections are more than it could handle..
>
> So, would be great if I could know how many connection it can support at
> any given time ..most of the times I see this error while i add clients to
> IPA master.. so if thers a known limit , I could first check netstat to see
> how many connections I have at any point and if its below the limit only
> then setup ipa-client-install
>
> Thanks,
>
> Rakesh
>
> On Sun, Sep 11, 2016 at 11:10 PM, Rakesh Rajasekharan <
> rakesh.rajasekha...@gmail.com> wrote:
>
>> Hi,
>>
>> In my Freeipa setup, I frequently see this message
>>
>> request_sock_TCP: Possible SYN flooding on port 88. Sending cookies
>>
>>
>> Is there a way to increase the ListenBacklog so that I can workaround
>> this error as suggested i this doc
>> https://access.redhat.com/solutions/30453
>>
>> Thanks,
>> Rakesh
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Increase ListenBacklog for httpd

[Rakesh Rajasekharan]

sorry I guess I did not put the question correctly

I wanted to know .. like we have the ListenBacklog for apache to basically
define the number of connections it can handle.. do we have some thing
similar for our krb5kdc service.. as the SYN floodin at 88 looks like
krb5kdc service is not able to handle sudden spurt in connections or the
number of connections are more than it could handle..

So, would be great if I could know how many connection it can support at
any given time ..most of the times I see this error while i add clients to
IPA master.. so if thers a known limit , I could first check netstat to see
how many connections I have at any point and if its below the limit only
then setup ipa-client-install

Thanks,

Rakesh

On Sun, Sep 11, 2016 at 11:10 PM, Rakesh Rajasekharan <
rakesh.rajasekha...@gmail.com> wrote:

> Hi,
>
> In my Freeipa setup, I frequently see this message
>
> request_sock_TCP: Possible SYN flooding on port 88. Sending cookies
>
>
> Is there a way to increase the ListenBacklog so that I can workaround this
> error as suggested i this doc
> https://access.redhat.com/solutions/30453
>
> Thanks,
> Rakesh
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Increase ListenBacklog for httpd

[Rakesh Rajasekharan]

Hi,

In my Freeipa setup, I frequently see this message

request_sock_TCP: Possible SYN flooding on port 88. Sending cookies


Is there a way to increase the ListenBacklog so that I can workaround this
error as suggested i this doc
https://access.redhat.com/solutions/30453

Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

Hi Thierry,


I was getting the hang issue while running ipa-client-install
simultaneously on few clients..
However, today, I am not able to replicate that.

I could not get a gdb . But i will try getting that the next time I face
this issue.

The CPU does not stay high.. it just momentarily touches a high value and
then drops down to around 2-7%

One question I have is , is it ok to set it nsslapd-threadnumber to a very
high value .
I have around 4000 clients and with nsslapd-maxthreadsperconn set to 5..So,
can I set nsslapd-threadnumber to around 25000.

Thanks

On Mon, Sep 5, 2016 at 1:03 PM, thierry bordaz <tbor...@redhat.com> wrote:

>
> Hi Rakesh,
>
> Were you able to get a pstack or full stack with gdb (
> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes) when
> the server hangs ?
>
> If it happens with 500 threads as well as with 30, using 30 threads is a
> better choice to debug this issue.
> I will try to reproduce using 150 parallel 'ipa user-find p-testipa'
> commands
>
> Something I am unsure is if the CPU consumption stays high (you mentioned
> 340% CPU usage) as long as the hang happens or if after a suddent shot up
> to 340% (that marks the beginning of the hang) it drops and stay hanging ?
>
> thanks
> thierry
>
> On 09/04/2016 08:40 PM, Rakesh Rajasekharan wrote:
>
> starce on the slapd process actually had this in the output..
> FUTEX_WAIT_PRIVATE
>
> and checking for the number of threads slapd had.. there were 5015 threads
>
> ps -efL|grep slapd|wc -l
> 5015
>
> strace on most of the threads gave this output
>
> strace -p 67411
> Process 67411 attached
> futex(0x7f3f0226b41c, FUTEX_WAIT_PRIVATE, 1, NULL) = -1 EAGAIN (Resource
> temporarily unavailable)
> futex(0x7f3f0226b41c, FUTEX_WAIT_PRIVATE, 2, NULL^CProcess 67411 detached
>
>
>
>
>
> On Sun, Sep 4, 2016 at 5:34 PM, Rakesh Rajasekharan <
> rakesh.rajasekha...@gmail.com> wrote:
>
>> I have again got the issue of IPA hanging.. The issue came up when i
>> tried to run ipa-client-isntall on 142 clients simultaneously
>>
>>
>> None of the IPA commands are responding,  and I see this error
>>
>> ipa user-find p-testipa
>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information (KDC
>> returned error string: PROCESS_TGS)
>>
>>  KRB5_TRACE=/dev/stdout kinit admin
>> [41178] 1472984115.233214: Getting initial credentials for ad...@xyz.com
>> [41178] 1472984115.235257: Sending request (167 bytes) to XYZ.COM
>> [41178] 1472984115.235419: Initiating TCP connection to stream
>> 10.1.3.36:88
>> [41178] 1472984115.235685: Sending TCP request to stream 10.1.3.36:88
>> [41178] 1472984120.238914: Received answer (174 bytes) from stream
>> 10.1.3.36:88
>> [41178] 1472984120.238925: Terminating TCP connection to stream
>> 10.1.3.36:88
>> [41178] 1472984120.238993: Response was from master KDC
>> [41
>>
>>
>> Running an ldapsearch to see the db.. does not give any results and just
>> hangs there
>>
>> ldapsearch -x -D 'cn=Directory Manager' -W -s one -b
>> 'cn=kerberos,dc=xyz,dc=com'
>> Enter LDAP Password:
>>
>> even an ldapsearch -x does not respond
>> At this point, am sure that slapd is the one causing issues
>>
>> Running an strace against the hung slapd itself seems to get stuck does
>> not proceed after saying "attaching to process"
>>
>> From some others posts I read Thierry suggesting to increase the
>> nsslapd-threadnumber value
>>
>> It was set to 30, I think that might be too low.
>>
>> I have raised it to  500
>>
>> Now after restarting the service .. ldapsearch starts responding.
>> But running the test to add a sudden high number of clients again left
>> ns-slapd to hung state
>>
>> When i attempted adding the clients.. the ns-slapd cpu usage shot up to
>> 340% and after that ns-slapd stopped responding
>>
>> So now, atleast I know what might be causing the issue and I can now
>> easily reproduce it.
>>
>> Is there a way I can make ns-slapd handle a sudden bump in incoming
>> request for ipa-client-install
>>
>> Thanks
>> Rakesh
>>
>>
>>
>>
>>
>>
>> On Mon, Aug 29, 2016 at 11:18 PM, Rich Megginson < <rmegg...@redhat.com>
>> rmegg...@redhat.com> wrote:
>>
>>> On 08/29/2016 10:53 AM, Rakesh Rajasekharan wrote:
>>>
>>> Hi Thierry,
>>>
>>> My machine has 30GB RAM ..and  389-ds version is 1.3.4
>>>
>>>

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

starce on the slapd process actually had this in the output..
FUTEX_WAIT_PRIVATE

and checking for the number of threads slapd had.. there were 5015 threads

ps -efL|grep slapd|wc -l
5015

strace on most of the threads gave this output

strace -p 67411
Process 67411 attached
futex(0x7f3f0226b41c, FUTEX_WAIT_PRIVATE, 1, NULL) = -1 EAGAIN (Resource
temporarily unavailable)
futex(0x7f3f0226b41c, FUTEX_WAIT_PRIVATE, 2, NULL^CProcess 67411 detached





On Sun, Sep 4, 2016 at 5:34 PM, Rakesh Rajasekharan <
rakesh.rajasekha...@gmail.com> wrote:

> I have again got the issue of IPA hanging.. The issue came up when i tried
> to run ipa-client-isntall on 142 clients simultaneously
>
>
> None of the IPA commands are responding,  and I see this error
>
> ipa user-find p-testipa
> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure.  Minor code may provide more information (KDC
> returned error string: PROCESS_TGS)
>
>  KRB5_TRACE=/dev/stdout kinit admin
> [41178] 1472984115.233214: Getting initial credentials for ad...@xyz.com
> [41178] 1472984115.235257: Sending request (167 bytes) to XYZ.COM
> [41178] 1472984115.235419: Initiating TCP connection to stream
> 10.1.3.36:88
> [41178] 1472984115.235685: Sending TCP request to stream 10.1.3.36:88
> [41178] 1472984120.238914: Received answer (174 bytes) from stream
> 10.1.3.36:88
> [41178] 1472984120.238925: Terminating TCP connection to stream
> 10.1.3.36:88
> [41178] 1472984120.238993: Response was from master KDC
> [41
>
>
> Running an ldapsearch to see the db.. does not give any results and just
> hangs there
>
> ldapsearch -x -D 'cn=Directory Manager' -W -s one -b
> 'cn=kerberos,dc=xyz,dc=com'
> Enter LDAP Password:
>
> even an ldapsearch -x does not respond
> At this point, am sure that slapd is the one causing issues
>
> Running an strace against the hung slapd itself seems to get stuck does
> not proceed after saying "attaching to process"
>
> From some others posts I read Thierry suggesting to increase the
> nsslapd-threadnumber value
>
> It was set to 30, I think that might be too low.
>
> I have raised it to  500
>
> Now after restarting the service .. ldapsearch starts responding.
> But running the test to add a sudden high number of clients again left
> ns-slapd to hung state
>
> When i attempted adding the clients.. the ns-slapd cpu usage shot up to
> 340% and after that ns-slapd stopped responding
>
> So now, atleast I know what might be causing the issue and I can now
> easily reproduce it.
>
> Is there a way I can make ns-slapd handle a sudden bump in incoming
> request for ipa-client-install
>
> Thanks
> Rakesh
>
>
>
>
>
>
> On Mon, Aug 29, 2016 at 11:18 PM, Rich Megginson <rmegg...@redhat.com>
> wrote:
>
>> On 08/29/2016 10:53 AM, Rakesh Rajasekharan wrote:
>>
>> Hi Thierry,
>>
>> My machine has 30GB RAM ..and  389-ds version is 1.3.4
>>
>> ldapsearch shows the values for nsslapd-cachememsize updated to 200MB.
>>
>> ldapsearch -LLL -o ldif-wrap=no -D "cn=directory manager" -w 'mypassword'
>> -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config'|grep
>> nsslapd-cachememsize
>> nsslapd-cachememsize: 209715200
>>
>>
>> So, it seems to have updated though seeing that warning(WARNING: ipaca:
>> entry cache size 10485760B is less than db size 11599872B) in the log
>> confuses me a bit.
>>
>> Thers one more entry that I found from the ldapsearch to be bit low
>>
>> nsslapd-dncachememsize: 10485760
>> maxdncachesize: 10485760
>>
>> Should I update these as well to a higher value
>>
>> At the time when the issue happened, the memory usage as well as the
>> overall load of the system was very low .
>> I will try reproducing the issue atleast in my QA env..probably by trying
>> to mock  simultaneous parallel logins to a large number of hosts
>>
>>
>> To monitor your cache sizes, please use the dbmon.sh tool provided with
>> your distro.  If that is not available with your particular distro, see
>> https://github.com/richm/scripts/wiki/dbmon.sh
>>
>>
>>
>>
>> thanks
>> Rakesh
>>
>>
>>
>>
>> On Mon, Aug 29, 2016 at 8:16 PM, thierry bordaz <tbor...@redhat.com>
>> wrote:
>>
>>> Hi Rakesh,
>>>
>>> Those tuning may depend on the memory available on your machine.
>>> nsslapd-cachememsize allows the entry cache to consume up to 200Mb but
>>> its memory footprint is known to go above.
>>> 200Mb both looks pretty good to me. How large is your machin

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

I have again got the issue of IPA hanging.. The issue came up when i tried
to run ipa-client-isntall on 142 clients simultaneously


None of the IPA commands are responding,  and I see this error

ipa user-find p-testipa
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (KDC
returned error string: PROCESS_TGS)

 KRB5_TRACE=/dev/stdout kinit admin
[41178] 1472984115.233214: Getting initial credentials for ad...@xyz.com
[41178] 1472984115.235257: Sending request (167 bytes) to XYZ.COM
[41178] 1472984115.235419: Initiating TCP connection to stream 10.1.3.36:88
[41178] 1472984115.235685: Sending TCP request to stream 10.1.3.36:88
[41178] 1472984120.238914: Received answer (174 bytes) from stream
10.1.3.36:88
[41178] 1472984120.238925: Terminating TCP connection to stream 10.1.3.36:88
[41178] 1472984120.238993: Response was from master KDC
[41


Running an ldapsearch to see the db.. does not give any results and just
hangs there

ldapsearch -x -D 'cn=Directory Manager' -W -s one -b
'cn=kerberos,dc=xyz,dc=com'
Enter LDAP Password:

even an ldapsearch -x does not respond
At this point, am sure that slapd is the one causing issues

Running an strace against the hung slapd itself seems to get stuck does not
proceed after saying "attaching to process"

>From some others posts I read Thierry suggesting to increase the
nsslapd-threadnumber value

It was set to 30, I think that might be too low.

I have raised it to  500

Now after restarting the service .. ldapsearch starts responding.
But running the test to add a sudden high number of clients again left
ns-slapd to hung state

When i attempted adding the clients.. the ns-slapd cpu usage shot up to
340% and after that ns-slapd stopped responding

So now, atleast I know what might be causing the issue and I can now easily
reproduce it.

Is there a way I can make ns-slapd handle a sudden bump in incoming request
for ipa-client-install

Thanks
Rakesh






On Mon, Aug 29, 2016 at 11:18 PM, Rich Megginson <rmegg...@redhat.com>
wrote:

> On 08/29/2016 10:53 AM, Rakesh Rajasekharan wrote:
>
> Hi Thierry,
>
> My machine has 30GB RAM ..and  389-ds version is 1.3.4
>
> ldapsearch shows the values for nsslapd-cachememsize updated to 200MB.
>
> ldapsearch -LLL -o ldif-wrap=no -D "cn=directory manager" -w 'mypassword'
> -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config'|grep
> nsslapd-cachememsize
> nsslapd-cachememsize: 209715200
>
>
> So, it seems to have updated though seeing that warning(WARNING: ipaca:
> entry cache size 10485760B is less than db size 11599872B) in the log
> confuses me a bit.
>
> Thers one more entry that I found from the ldapsearch to be bit low
>
> nsslapd-dncachememsize: 10485760
> maxdncachesize: 10485760
>
> Should I update these as well to a higher value
>
> At the time when the issue happened, the memory usage as well as the
> overall load of the system was very low .
> I will try reproducing the issue atleast in my QA env..probably by trying
> to mock  simultaneous parallel logins to a large number of hosts
>
>
> To monitor your cache sizes, please use the dbmon.sh tool provided with
> your distro.  If that is not available with your particular distro, see
> https://github.com/richm/scripts/wiki/dbmon.sh
>
>
>
>
> thanks
> Rakesh
>
>
>
>
> On Mon, Aug 29, 2016 at 8:16 PM, thierry bordaz <tbor...@redhat.com>
> wrote:
>
>> Hi Rakesh,
>>
>> Those tuning may depend on the memory available on your machine.
>> nsslapd-cachememsize allows the entry cache to consume up to 200Mb but
>> its memory footprint is known to go above.
>> 200Mb both looks pretty good to me. How large is your machine ? What is
>> your version of 389-ds ?
>>
>> Those warnings do not change your settings. It just raise that entry
>> cache of 'ipaca' and 'retrocl' are small but it is fine. The size of the
>> entry cache is important mostly in userRoot.
>> You may double check the actual values, after restart, with ldapsearch on
>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' and 'cn=config,cn=ldbm
>> database,cn=plugins,cn=config'.
>>
>> A step is to know what will be response time of DS to know if it is
>> responsible of the hang or not.
>> The logs and possibly pstack during those intermittent hangs will help to
>> determine that.
>>
>> regards
>> thierry
>>
>>
>>
>>
>>
>> On 08/29/2016 04:25 PM, Rakesh Rajasekharan wrote:
>>
>> I tried increasing the nsslapd-dbcachesize and nsslapd-cachememsize in my
>> QA envs to 200MB.
>>
>> However, in my log files, I still see this message
>> [29/Aug/2016:04:34:37 +]

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

Hi Thierry,

My machine has 30GB RAM ..and  389-ds version is 1.3.4

ldapsearch shows the values for nsslapd-cachememsize updated to 200MB.

ldapsearch -LLL -o ldif-wrap=no -D "cn=directory manager" -w 'mypassword'
-b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config'|grep
nsslapd-cachememsize
nsslapd-cachememsize: 209715200


So, it seems to have updated though seeing that warning(WARNING: ipaca:
entry cache size 10485760B is less than db size 11599872B) in the log
confuses me a bit.

Thers one more entry that I found from the ldapsearch to be bit low

nsslapd-dncachememsize: 10485760
maxdncachesize: 10485760

Should I update these as well to a higher value

At the time when the issue happened, the memory usage as well as the
overall load of the system was very low .
I will try reproducing the issue atleast in my QA env..probably by trying
to mock  simultaneous parallel logins to a large number of hosts


thanks
Rakesh




On Mon, Aug 29, 2016 at 8:16 PM, thierry bordaz <tbor...@redhat.com> wrote:

> Hi Rakesh,
>
> Those tuning may depend on the memory available on your machine.
> nsslapd-cachememsize allows the entry cache to consume up to 200Mb but its
> memory footprint is known to go above.
> 200Mb both looks pretty good to me. How large is your machine ? What is
> your version of 389-ds ?
>
> Those warnings do not change your settings. It just raise that entry cache
> of 'ipaca' and 'retrocl' are small but it is fine. The size of the entry
> cache is important mostly in userRoot.
> You may double check the actual values, after restart, with ldapsearch on
> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' and 'cn=config,cn=ldbm
> database,cn=plugins,cn=config'.
>
> A step is to know what will be response time of DS to know if it is
> responsible of the hang or not.
> The logs and possibly pstack during those intermittent hangs will help to
> determine that.
>
> regards
> thierry
>
>
>
>
>
> On 08/29/2016 04:25 PM, Rakesh Rajasekharan wrote:
>
> I tried increasing the nsslapd-dbcachesize and nsslapd-cachememsize in my
> QA envs to 200MB.
>
> However, in my log files, I still see this message
> [29/Aug/2016:04:34:37 +] - WARNING: ipaca: entry cache size 10485760B
> is less than db size 11599872B; We recommend to increase the entry cache
> size nsslapd-cachememsize.
> [29/Aug/2016:04:34:37 +] - WARNING: changelog: entry cache size
> 2097152B is less than db size 441647104B; We recommend to increase the
> entry cache size nsslapd-cachememsize.
>
> these are my ldif files that i used to modify the values
> modify entry cache size
> cat modify-cache-mem-size.ldif
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-cachememsize
> nsslapd-cachememsize: 209715200
>
> modify db cache size
> cat modfy-db-cache-size.ldif
> dn: cn=config,cn=ldbm database,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-dbcachesize
> nsslapd-dbcachesize: 209715200
>
> After modifying , i restarted IPA services
>
> Is there anything else that  I need to take care of as the logs suggest
> its still not getting the updated values
>
> Thanks
> Rakesh
>
> On Mon, Aug 29, 2016 at 6:07 PM, Rakesh Rajasekharan <
> rakesh.rajasekha...@gmail.com> wrote:
>
>> Hi Thierry,
>>
>> Coz of the issues we had to revert back to earlier running openldap in
>> production.
>>
>> I have now done a few TCP related changes in sysctl.conf and have also
>> increased the nsslapd-dbcachesize and nsslapd-cachememsize to 200MB
>>
>> I will again start migrating hosts back to IPA and see if I face the
>> earlier issue.
>>
>> I will update back once I have something
>>
>>
>> Thanks,
>> Rakesh
>>
>>
>>
>> On Thu, Aug 25, 2016 at 2:17 PM, thierry bordaz < <tbor...@redhat.com>
>> tbor...@redhat.com> wrote:
>>
>>>
>>>
>>> On 08/25/2016 10:15 AM, Rakesh Rajasekharan wrote:
>>>
>>> All of the troubleshooting seems fine.
>>>
>>>
>>> However, Running libconv.pl gives me this output
>>>
>>> - Recommendations -
>>>
>>>  1.  You have unindexed components, this can be caused from a search on
>>> an unindexed attribute, or your returned results exceeded the
>>> allidsthreshold.  Unindexed components are not recommended. To refuse
>>> unindexed searches, switch 'nsslapd-require-index' to 'on' under your
>>> database entry (e.g. cn=UserRoot,cn=ldbm database,cn=plugins,cn=config).
>>>
>>>  2.  You have a significant difference between binds and unbinds.  You
>>> may want to

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

Hi Thierry,

Coz of the issues we had to revert back to earlier running openldap in
production.

I have now done a few TCP related changes in sysctl.conf and have also
increased the nsslapd-dbcachesize and nsslapd-cachememsize to 200MB

I will again start migrating hosts back to IPA and see if I face the
earlier issue.

I will update back once I have something


Thanks,
Rakesh



On Thu, Aug 25, 2016 at 2:17 PM, thierry bordaz <tbor...@redhat.com> wrote:

>
>
> On 08/25/2016 10:15 AM, Rakesh Rajasekharan wrote:
>
> All of the troubleshooting seems fine.
>
>
> However, Running libconv.pl gives me this output
>
> - Recommendations -
>
>  1.  You have unindexed components, this can be caused from a search on an
> unindexed attribute, or your returned results exceeded the
> allidsthreshold.  Unindexed components are not recommended. To refuse
> unindexed searches, switch 'nsslapd-require-index' to 'on' under your
> database entry (e.g. cn=UserRoot,cn=ldbm database,cn=plugins,cn=config).
>
>  2.  You have a significant difference between binds and unbinds.  You may
> want to investigate this difference.
>
>
> I feel, this could be a pointer to things going slow.. and IPA hanging. I
> think i now have something that I can try and nail down this issue.
>
> On a sidenote, I was earlier running openldap and migrated over to
> Freeipa,
>
> Thanks
> Rakesh
>
>
>
> On Wed, Aug 24, 2016 at 12:38 PM, Petr Spacek <pspa...@redhat.com> wrote:
>
>> On 23.8.2016 18:44, Rakesh Rajasekharan wrote:
>> > I think thers something seriously wrong with my system
>> >
>> > not able to run any  IPA commands
>> >
>> > klist
>> > Ticket cache: KEYRING:persistent:0:0
>> > Default principal: ad...@xyz.com
>> >
>> > Valid starting   Expires  Service principal
>> > 2016-08-23T16:26:36  2016-08-24T16:26:22  krbtgt/ <xyz@xyz.com>
>> xyz@xyz.com
>> >
>> >
>> > [root@prod-ipa-master-1a :~] ipactl status
>> > Directory Service: RUNNING
>> > krb5kdc Service: RUNNING
>> > kadmin Service: RUNNING
>> > ipa_memcached Service: RUNNING
>> > httpd Service: RUNNING
>> > pki-tomcatd Service: RUNNING
>> > ipa-otpd Service: RUNNING
>> > ipa: INFO: The ipactl command was successful
>> >
>> >
>> >
>> > [root@prod-ipa-master :~] ipa user-find p-testuser
>> > ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may
>> > provide more information', 851968)/("Cannot contact any KDC for realm '
>> > XYZ.COM'", -1765328228)
>>
>
> Hi Rakesh,
>
> Having a reproducible test case would you rerun the command above.
> During its processing you may monitor DS process load (top). If it is
> high, you may get some pstacks of it.
> Also would you attach the part of DS access logs taken during the command.
>
> regards
> thierry
>
> >
>>
>> This is weird because the server seems to be up.
>>
>> Please follow
>> http://www.freeipa.org/page/Troubleshooting#Authentication.2FKerberos
>>
>> Petr^2 Spacek
>>
>> >
>> >
>> > Thanks
>> >
>> > Rakesh
>> >
>> > On Tue, Aug 23, 2016 at 10:01 PM, Rakesh Rajasekharan <
>> > rakesh.rajasekha...@gmail.com> wrote:
>> >
>> >> i changed the loggin level to 4 . Modifying nsslapd-accesslog-level
>> >>
>> >> But, the hang is still there. though I dont see the sigfault now
>> >>
>> >>
>> >>
>> >>
>> >> On Tue, Aug 23, 2016 at 9:02 PM, Rakesh Rajasekharan <
>> >> rakesh.rajasekha...@gmail.com> wrote:
>> >>
>> >>> My disk was getting filled too fast
>> >>>
>> >>> logs under /var/log/dirsrv was coming around 5 gb quickly filling up
>> >>>
>> >>> Is there a way to make the logging less verbose
>> >>>
>> >>>
>> >>>
>> >>> On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek <pspa...@redhat.com>
>> wrote:
>> >>>
>> >>>> On 23.8.2016 15:07, Rakesh Rajasekharan wrote:
>> >>>>> I was able to fix that may be temporarily... when i checked the
>> >>>> network..
>> >>>>> there was another process that was running and consuming a lot of
>> >>>> network (
>> >>>>> i have no idea who did that. I need to seriously start restricting
>> >>>> people

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

All of the troubleshooting seems fine.


However, Running libconv.pl gives me this output

- Recommendations -

 1.  You have unindexed components, this can be caused from a search on an
unindexed attribute, or your returned results exceeded the
allidsthreshold.  Unindexed components are not recommended. To refuse
unindexed searches, switch 'nsslapd-require-index' to 'on' under your
database entry (e.g. cn=UserRoot,cn=ldbm database,cn=plugins,cn=config).

 2.  You have a significant difference between binds and unbinds.  You may
want to investigate this difference.


I feel, this could be a pointer to things going slow.. and IPA hanging. I
think i now have something that I can try and nail down this issue.

On a sidenote, I was earlier running openldap and migrated over to Freeipa,

Thanks
Rakesh



On Wed, Aug 24, 2016 at 12:38 PM, Petr Spacek <pspa...@redhat.com> wrote:

> On 23.8.2016 18:44, Rakesh Rajasekharan wrote:
> > I think thers something seriously wrong with my system
> >
> > not able to run any  IPA commands
> >
> > klist
> > Ticket cache: KEYRING:persistent:0:0
> > Default principal: ad...@xyz.com
> >
> > Valid starting   Expires  Service principal
> > 2016-08-23T16:26:36  2016-08-24T16:26:22  krbtgt/xyz@xyz.com
> >
> >
> > [root@prod-ipa-master-1a :~] ipactl status
> > Directory Service: RUNNING
> > krb5kdc Service: RUNNING
> > kadmin Service: RUNNING
> > ipa_memcached Service: RUNNING
> > httpd Service: RUNNING
> > pki-tomcatd Service: RUNNING
> > ipa-otpd Service: RUNNING
> > ipa: INFO: The ipactl command was successful
> >
> >
> >
> > [root@prod-ipa-master :~] ipa user-find p-testuser
> > ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may
> > provide more information', 851968)/("Cannot contact any KDC for realm '
> > XYZ.COM'", -1765328228)
> >
>
> This is weird because the server seems to be up.
>
> Please follow
> http://www.freeipa.org/page/Troubleshooting#Authentication.2FKerberos
>
> Petr^2 Spacek
>
> >
> >
> > Thanks
> >
> > Rakesh
> >
> > On Tue, Aug 23, 2016 at 10:01 PM, Rakesh Rajasekharan <
> > rakesh.rajasekha...@gmail.com> wrote:
> >
> >> i changed the loggin level to 4 . Modifying nsslapd-accesslog-level
> >>
> >> But, the hang is still there. though I dont see the sigfault now
> >>
> >>
> >>
> >>
> >> On Tue, Aug 23, 2016 at 9:02 PM, Rakesh Rajasekharan <
> >> rakesh.rajasekha...@gmail.com> wrote:
> >>
> >>> My disk was getting filled too fast
> >>>
> >>> logs under /var/log/dirsrv was coming around 5 gb quickly filling up
> >>>
> >>> Is there a way to make the logging less verbose
> >>>
> >>>
> >>>
> >>> On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek <pspa...@redhat.com>
> wrote:
> >>>
> >>>> On 23.8.2016 15:07, Rakesh Rajasekharan wrote:
> >>>>> I was able to fix that may be temporarily... when i checked the
> >>>> network..
> >>>>> there was another process that was running and consuming a lot of
> >>>> network (
> >>>>> i have no idea who did that. I need to seriously start restricting
> >>>> people
> >>>>> access to this machine )
> >>>>>
> >>>>> after killing that perfomance improved drastically
> >>>>>
> >>>>> But now, suddenly I started experiencing the same hang.
> >>>>>
> >>>>> This time , I gert the following error when checked dmesg
> >>>>>
> >>>>> [  301.236976] ns-slapd[3124]: segfault at 0 ip 7f1de416951c sp
> >>>>> 7f1dee1dba70 error 4 in libcos-plugin.so[7f1de4166000+b000]
> >>>>> [ 1116.248431] TCP: request_sock_TCP: Possible SYN flooding on port
> 88.
> >>>>> Sending cookies.  Check SNMP counters.
> >>>>> [11831.397037] ns-slapd[22550]: segfault at 0 ip 7f533d82251c sp
> >>>>> 7f5347894a70 error 4 in libcos-plugin.so[7f533d81f000+b000]
> >>>>> [11832.727989] ns-slapd[22606]: segfault at 0 ip 7f6231eb951c sp
> >>>>> 7f623bf2ba70 error 4 in libcos-plugin.so[7f6231eb6000+b00
> >>>>
> >>>> Okay, this one is serious. The LDAP server crashed.
> >>>>
> >>>> 1. Make sure all your packages are up-to-date.
> >>>>
> >&

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

I think thers something seriously wrong with my system

not able to run any  IPA commands

klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@xyz.com

Valid starting   Expires  Service principal
2016-08-23T16:26:36  2016-08-24T16:26:22  krbtgt/xyz@xyz.com


[root@prod-ipa-master-1a :~] ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful



[root@prod-ipa-master :~] ipa user-find p-testuser
ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may
provide more information', 851968)/("Cannot contact any KDC for realm '
XYZ.COM'", -1765328228)



Thanks

Rakesh

On Tue, Aug 23, 2016 at 10:01 PM, Rakesh Rajasekharan <
rakesh.rajasekha...@gmail.com> wrote:

> i changed the loggin level to 4 . Modifying nsslapd-accesslog-level
>
> But, the hang is still there. though I dont see the sigfault now
>
>
>
>
> On Tue, Aug 23, 2016 at 9:02 PM, Rakesh Rajasekharan <
> rakesh.rajasekha...@gmail.com> wrote:
>
>> My disk was getting filled too fast
>>
>> logs under /var/log/dirsrv was coming around 5 gb quickly filling up
>>
>> Is there a way to make the logging less verbose
>>
>>
>>
>> On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek <pspa...@redhat.com> wrote:
>>
>>> On 23.8.2016 15:07, Rakesh Rajasekharan wrote:
>>> > I was able to fix that may be temporarily... when i checked the
>>> network..
>>> > there was another process that was running and consuming a lot of
>>> network (
>>> > i have no idea who did that. I need to seriously start restricting
>>> people
>>> > access to this machine )
>>> >
>>> > after killing that perfomance improved drastically
>>> >
>>> > But now, suddenly I started experiencing the same hang.
>>> >
>>> > This time , I gert the following error when checked dmesg
>>> >
>>> > [  301.236976] ns-slapd[3124]: segfault at 0 ip 7f1de416951c sp
>>> > 7f1dee1dba70 error 4 in libcos-plugin.so[7f1de4166000+b000]
>>> > [ 1116.248431] TCP: request_sock_TCP: Possible SYN flooding on port 88.
>>> > Sending cookies.  Check SNMP counters.
>>> > [11831.397037] ns-slapd[22550]: segfault at 0 ip 7f533d82251c sp
>>> > 7f5347894a70 error 4 in libcos-plugin.so[7f533d81f000+b000]
>>> > [11832.727989] ns-slapd[22606]: segfault at 0 ip 7f6231eb951c sp
>>> > 7f623bf2ba70 error 4 in libcos-plugin.so[7f6231eb6000+b00
>>>
>>> Okay, this one is serious. The LDAP server crashed.
>>>
>>> 1. Make sure all your packages are up-to-date.
>>>
>>> Please see
>>> http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#d
>>> ebugging-crashes
>>> for further instructions how to debug this.
>>>
>>> Petr^2 Spacek
>>>
>>> >
>>> > and in /var/log/dirsrv/example-com/errors
>>> >
>>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>>> could
>>> > not delete change record 3291138 (rc: 32)
>>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>>> could
>>> > not delete change record 3291139 (rc: 32)
>>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>>> could
>>> > not delete change record 3291140 (rc: 32)
>>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>>> could
>>> > not delete change record 3291141 (rc: 32)
>>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>>> could
>>> > not delete change record 3291142 (rc: 32)
>>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>>> could
>>> > not delete change record 3291143 (rc: 32)
>>> > [23/Aug/2016:12:49:36 +0000] DSRetroclPlugin - delete_changerecord:
>>> could
>>> > not delete change record 3291144 (rc: 32)
>>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>>> could
>>> > not delete change record 3291145 (rc: 32)
>>> > [23/Aug/2016:12:49:50 +] - Retry count exceeded in delete
>>> > [23/Aug/2016:12:49:50 +] DSRetroclPlugin - delete_changerecord:
>>> could
>>> > not delete change record 3292734 (rc: 51)
>>> >
>>> >
>>&

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

i changed the loggin level to 4 . Modifying nsslapd-accesslog-level

But, the hang is still there. though I dont see the sigfault now




On Tue, Aug 23, 2016 at 9:02 PM, Rakesh Rajasekharan <
rakesh.rajasekha...@gmail.com> wrote:

> My disk was getting filled too fast
>
> logs under /var/log/dirsrv was coming around 5 gb quickly filling up
>
> Is there a way to make the logging less verbose
>
>
>
> On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek <pspa...@redhat.com> wrote:
>
>> On 23.8.2016 15:07, Rakesh Rajasekharan wrote:
>> > I was able to fix that may be temporarily... when i checked the
>> network..
>> > there was another process that was running and consuming a lot of
>> network (
>> > i have no idea who did that. I need to seriously start restricting
>> people
>> > access to this machine )
>> >
>> > after killing that perfomance improved drastically
>> >
>> > But now, suddenly I started experiencing the same hang.
>> >
>> > This time , I gert the following error when checked dmesg
>> >
>> > [  301.236976] ns-slapd[3124]: segfault at 0 ip 7f1de416951c sp
>> > 7f1dee1dba70 error 4 in libcos-plugin.so[7f1de4166000+b000]
>> > [ 1116.248431] TCP: request_sock_TCP: Possible SYN flooding on port 88.
>> > Sending cookies.  Check SNMP counters.
>> > [11831.397037] ns-slapd[22550]: segfault at 0 ip 7f533d82251c sp
>> > 7f5347894a70 error 4 in libcos-plugin.so[7f533d81f000+b000]
>> > [11832.727989] ns-slapd[22606]: segfault at 0 ip 7f6231eb951c sp
>> > 7f623bf2ba70 error 4 in libcos-plugin.so[7f6231eb6000+b00
>>
>> Okay, this one is serious. The LDAP server crashed.
>>
>> 1. Make sure all your packages are up-to-date.
>>
>> Please see
>> http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#
>> debugging-crashes
>> for further instructions how to debug this.
>>
>> Petr^2 Spacek
>>
>> >
>> > and in /var/log/dirsrv/example-com/errors
>> >
>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>> could
>> > not delete change record 3291138 (rc: 32)
>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>> could
>> > not delete change record 3291139 (rc: 32)
>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>> could
>> > not delete change record 3291140 (rc: 32)
>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>> could
>> > not delete change record 3291141 (rc: 32)
>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>> could
>> > not delete change record 3291142 (rc: 32)
>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>> could
>> > not delete change record 3291143 (rc: 32)
>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>> could
>> > not delete change record 3291144 (rc: 32)
>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord:
>> could
>> > not delete change record 3291145 (rc: 32)
>> > [23/Aug/2016:12:49:50 +] - Retry count exceeded in delete
>> > [23/Aug/2016:12:49:50 +] DSRetroclPlugin - delete_changerecord:
>> could
>> > not delete change record 3292734 (rc: 51)
>> >
>> >
>> > Can  i do something about this error.. I treid to restart ipa a couple
>> of
>> > time but that did not help
>> >
>> > Thanks
>> > Rakesh
>> >
>> > On Mon, Aug 22, 2016 at 2:27 PM, Petr Spacek <pspa...@redhat.com>
>> wrote:
>> >
>> >> On 19.8.2016 19:32, Rakesh Rajasekharan wrote:
>> >>> I am running my set up on AWS cloud, and entropy is low at around 180
>> .
>> >>>
>> >>> I plan to increase it bu installing haveged . But, would low entropy
>> by
>> >> any
>> >>> chance cause this issue of intermittent hang .
>> >>> Also, the hang is mostly observed when registering around 20 clients
>> >>> together
>> >>
>> >> Possibly, I'm not sure. If you want to dig into this, I would do this:
>> >> 1. look what process hangs on client (using pstree command or so)
>> >> $ pstree
>> >>
>> >> 2. look to what server and port is the hanging client connected to
>> >> $ lsof -p 
>> >>
>> >> 3. jump to server and see what process is bound to the target port

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

My disk was getting filled too fast

logs under /var/log/dirsrv was coming around 5 gb quickly filling up

Is there a way to make the logging less verbose



On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek <pspa...@redhat.com> wrote:

> On 23.8.2016 15:07, Rakesh Rajasekharan wrote:
> > I was able to fix that may be temporarily... when i checked the network..
> > there was another process that was running and consuming a lot of
> network (
> > i have no idea who did that. I need to seriously start restricting people
> > access to this machine )
> >
> > after killing that perfomance improved drastically
> >
> > But now, suddenly I started experiencing the same hang.
> >
> > This time , I gert the following error when checked dmesg
> >
> > [  301.236976] ns-slapd[3124]: segfault at 0 ip 7f1de416951c sp
> > 7f1dee1dba70 error 4 in libcos-plugin.so[7f1de4166000+b000]
> > [ 1116.248431] TCP: request_sock_TCP: Possible SYN flooding on port 88.
> > Sending cookies.  Check SNMP counters.
> > [11831.397037] ns-slapd[22550]: segfault at 0 ip 7f533d82251c sp
> > 7f5347894a70 error 4 in libcos-plugin.so[7f533d81f000+b000]
> > [11832.727989] ns-slapd[22606]: segfault at 0 ip 7f6231eb951c sp
> > 7f623bf2ba70 error 4 in libcos-plugin.so[7f6231eb6000+b00
>
> Okay, this one is serious. The LDAP server crashed.
>
> 1. Make sure all your packages are up-to-date.
>
> Please see
> http://directory.fedoraproject.org/docs/389ds/
> FAQ/faq.html#debugging-crashes
> for further instructions how to debug this.
>
> Petr^2 Spacek
>
> >
> > and in /var/log/dirsrv/example-com/errors
> >
> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could
> > not delete change record 3291138 (rc: 32)
> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could
> > not delete change record 3291139 (rc: 32)
> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could
> > not delete change record 3291140 (rc: 32)
> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could
> > not delete change record 3291141 (rc: 32)
> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could
> > not delete change record 3291142 (rc: 32)
> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could
> > not delete change record 3291143 (rc: 32)
> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could
> > not delete change record 3291144 (rc: 32)
> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could
> > not delete change record 3291145 (rc: 32)
> > [23/Aug/2016:12:49:50 +] - Retry count exceeded in delete
> > [23/Aug/2016:12:49:50 +] DSRetroclPlugin - delete_changerecord: could
> > not delete change record 3292734 (rc: 51)
> >
> >
> > Can  i do something about this error.. I treid to restart ipa a couple of
> > time but that did not help
> >
> > Thanks
> > Rakesh
> >
> > On Mon, Aug 22, 2016 at 2:27 PM, Petr Spacek <pspa...@redhat.com> wrote:
> >
> >> On 19.8.2016 19:32, Rakesh Rajasekharan wrote:
> >>> I am running my set up on AWS cloud, and entropy is low at around 180 .
> >>>
> >>> I plan to increase it bu installing haveged . But, would low entropy by
> >> any
> >>> chance cause this issue of intermittent hang .
> >>> Also, the hang is mostly observed when registering around 20 clients
> >>> together
> >>
> >> Possibly, I'm not sure. If you want to dig into this, I would do this:
> >> 1. look what process hangs on client (using pstree command or so)
> >> $ pstree
> >>
> >> 2. look to what server and port is the hanging client connected to
> >> $ lsof -p 
> >>
> >> 3. jump to server and see what process is bound to the target port
> >> $ netstat -pn
> >>
> >> 4. see where the process if hanging
> >> $ strace -p 
> >>
> >> I hope it helps.
> >>
> >> Petr^2 Spacek
> >>
> >>> On Fri, Aug 19, 2016 at 7:24 PM, Rakesh Rajasekharan <
> >>> rakesh.rajasekha...@gmail.com> wrote:
> >>>
> >>>> yes there seems to be something thats worrying.. I have faced this
> today
> >>>> as well.
> >>>> There are few hosts around 280 odd left and when i try adding them to
> >> IPA
> >>>> , the slowness begins..
> >>>>
> >>>> all the ipa commands like ipa user-find.. et

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

I am running my set up on AWS cloud, and entropy is low at around 180 .

I plan to increase it bu installing haveged . But, would low entropy by any
chance cause this issue of intermittent hang .
Also, the hang is mostly observed when registering around 20 clients
together

On Fri, Aug 19, 2016 at 7:24 PM, Rakesh Rajasekharan <
rakesh.rajasekha...@gmail.com> wrote:

> yes there seems to be something thats worrying.. I have faced this today
> as well.
> There are few hosts around 280 odd left and when i try adding them to IPA
> , the slowness begins..
>
> all the ipa commands like ipa user-find.. etc becomes very slow in
> responding.
>
> the SYNC_RECV are not many though just around 80-90 and today that was
> around 20 only
>
>
> I have for now increased tcp_max_syn_backlog to 5000.
> For now the slowness seems to have gone.. but I will do a try adding the
> clients again tomorrow and see how it goes
>
> Thanks
> Rakesh
>
> The issues
>
> On Fri, Aug 19, 2016 at 12:58 PM, Petr Spacek <pspa...@redhat.com> wrote:
>
>> On 18.8.2016 17:23, Rakesh Rajasekharan wrote:
>> > Hi
>> >
>> > I am migrating to freeipa from openldap and have around 4000 clients
>> >
>> > I had openned a another thread on that, but chose to start a new one
>> here
>> > as its a separate issue
>> >
>> > I was able to change the nssslapd-maxdescriptors adding an ldif file
>> >
>> > cat nsslapd-modify.ldif
>> > dn: cn=config
>> > changetype: modify
>> > replace: nsslapd-maxdescriptors
>> > nsslapd-maxdescriptors: 17000
>> >
>> > and running the ldapmodify command
>> >
>> > I have now started moving clients running an openldap to Freeipa and
>> have
>> > today moved close to 2000 clients
>> >
>> > However, I have noticed that IPA hangs intermittently.
>> >
>> > running a kinit admin returns the below error
>> > kinit: Generic error (see e-text) while getting initial credentials
>> >
>> > from the /var/log/messages, I see this entry
>> >
>> >  prod-ipa-master-int kernel: [104090.315801] TCP: request_sock_TCP:
>> > Possible SYN flooding on port 88. Sending cookies.  Check SNMP counters.
>>
>> I would be worried about this message. Maybe kernel/firewall is doing
>> something fishy behind your back and blocking some connections or so.
>>
>> Petr^2 Spacek
>>
>>
>> > Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Started Session 4885 of
>> > user root.
>> > Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Starting Session 4885 of
>> > user root.
>> > Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Started Session 4886 of
>> > user root.
>> > Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Starting Session 4886 of
>> > user root.
>> > Aug 18 13:02:40 prod-ipa-master-int python[28984]: ansible-command
>> Invoked
>> > with creates=None executable=None shell=True args= removes=None
>> warn=True
>> > chdir=None
>> > Aug 18 13:04:37 prod-ipa-master-int sssd_be: GSSAPI Error: Unspecified
>> GSS
>> > failure.  Minor code may provide more information (KDC returned error
>> > string: PROCESS_TGS)
>> >
>> > Could it be possible that its due to the initial load of adding the
>> clients
>> > or is there something else that I need to take care of.
>> >
>> > Thanks,
>> >
>> > Rakesh
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

yes there seems to be something thats worrying.. I have faced this today as
well.
There are few hosts around 280 odd left and when i try adding them to IPA ,
the slowness begins..

all the ipa commands like ipa user-find.. etc becomes very slow in
responding.

the SYNC_RECV are not many though just around 80-90 and today that was
around 20 only


I have for now increased tcp_max_syn_backlog to 5000.
For now the slowness seems to have gone.. but I will do a try adding the
clients again tomorrow and see how it goes

Thanks
Rakesh

The issues

On Fri, Aug 19, 2016 at 12:58 PM, Petr Spacek <pspa...@redhat.com> wrote:

> On 18.8.2016 17:23, Rakesh Rajasekharan wrote:
> > Hi
> >
> > I am migrating to freeipa from openldap and have around 4000 clients
> >
> > I had openned a another thread on that, but chose to start a new one here
> > as its a separate issue
> >
> > I was able to change the nssslapd-maxdescriptors adding an ldif file
> >
> > cat nsslapd-modify.ldif
> > dn: cn=config
> > changetype: modify
> > replace: nsslapd-maxdescriptors
> > nsslapd-maxdescriptors: 17000
> >
> > and running the ldapmodify command
> >
> > I have now started moving clients running an openldap to Freeipa and have
> > today moved close to 2000 clients
> >
> > However, I have noticed that IPA hangs intermittently.
> >
> > running a kinit admin returns the below error
> > kinit: Generic error (see e-text) while getting initial credentials
> >
> > from the /var/log/messages, I see this entry
> >
> >  prod-ipa-master-int kernel: [104090.315801] TCP: request_sock_TCP:
> > Possible SYN flooding on port 88. Sending cookies.  Check SNMP counters.
>
> I would be worried about this message. Maybe kernel/firewall is doing
> something fishy behind your back and blocking some connections or so.
>
> Petr^2 Spacek
>
>
> > Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Started Session 4885 of
> > user root.
> > Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Starting Session 4885 of
> > user root.
> > Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Started Session 4886 of
> > user root.
> > Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Starting Session 4886 of
> > user root.
> > Aug 18 13:02:40 prod-ipa-master-int python[28984]: ansible-command
> Invoked
> > with creates=None executable=None shell=True args= removes=None warn=True
> > chdir=None
> > Aug 18 13:04:37 prod-ipa-master-int sssd_be: GSSAPI Error: Unspecified
> GSS
> > failure.  Minor code may provide more information (KDC returned error
> > string: PROCESS_TGS)
> >
> > Could it be possible that its due to the initial load of adding the
> clients
> > or is there something else that I need to take care of.
> >
> > Thanks,
> >
> > Rakesh
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Rakesh Rajasekharan]

Hi

I am migrating to freeipa from openldap and have around 4000 clients

I had openned a another thread on that, but chose to start a new one here
as its a separate issue

I was able to change the nssslapd-maxdescriptors adding an ldif file

cat nsslapd-modify.ldif
dn: cn=config
changetype: modify
replace: nsslapd-maxdescriptors
nsslapd-maxdescriptors: 17000

and running the ldapmodify command

I have now started moving clients running an openldap to Freeipa and have
today moved close to 2000 clients

However, I have noticed that IPA hangs intermittently.

running a kinit admin returns the below error
kinit: Generic error (see e-text) while getting initial credentials

from the /var/log/messages, I see this entry

 prod-ipa-master-int kernel: [104090.315801] TCP: request_sock_TCP:
Possible SYN flooding on port 88. Sending cookies.  Check SNMP counters.
Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Started Session 4885 of
user root.
Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Starting Session 4885 of
user root.
Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Started Session 4886 of
user root.
Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Starting Session 4886 of
user root.
Aug 18 13:02:40 prod-ipa-master-int python[28984]: ansible-command Invoked
with creates=None executable=None shell=True args= removes=None warn=True
chdir=None
Aug 18 13:04:37 prod-ipa-master-int sssd_be: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (KDC returned error
string: PROCESS_TGS)

Could it be possible that its due to the initial load of adding the clients
or is there something else that I need to take care of.

Thanks,

Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa server capacity planning

[Rakesh Rajasekharan]

Hi,

I have successfully running freeipa setup across my envs.. and now planning
to move it to one of the prod envs where we have around 4000 clients.

I am running a single IPA server instance with regular backups being taken
to handle any disasters

Are there any recommendations on the system configuration, I am using a 4
CPU, 30GB Ram machine. will that be ok or should I upgrade to a higher
configuration

Also, the default File descriptors is set to 8192 by IPA, with the number
of clients does it make sense to increase the value of
nsslapd-maxdescriptors.

Please let me know


Thanks,

Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd shows deleted users as well

[Rakesh Rajasekharan]

Thanks Jan..  I will give that a try

On Fri, Jul 29, 2016 at 7:05 PM, Jan Pazdziora <jpazdzi...@redhat.com>
wrote:

> On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote:
> > My specific requirement for having "enumerate=TRUE" was , we have a build
> > server with the jenkins set up.
> > And for authentication jenkins tries to get the localusers on the system.
> >
> > I should be able to get through that by configuring Jenkins to use LDAP
> > instead of the local users.
>
> Alternatively you could use Apache HTTP frontend for authentication
> per
>
>
> https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security
>
> and use for example mod_authnz_pam configured with PAM service
> that pam_sss.so / SSSD will handle.
>
> --
> Jan Pazdziora
> Senior Principal Software Engineer, Identity Management Engineering, Red
> Hat
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] slow login with freeipa 4.2.0

[Rakesh Rajasekharan]

Thanks Jakub for the detailed analysis... with those inputs , I was able to
nail down the issue.

I had migrated this host from openldap to freeipa.. However, nslcd daemon
was still running and the sylog pointed me to the error "unable to contact
the earlier openldap server" and it spent some time there...

So, I stopped nslcd and now logins have improved drastically to around 5s

date;ssh testuser@localhost
Sat Jul 30 08:09:13 UTC 2016
testuser@localhost's password:
Last login: Sat Jul 30 08:08:55 2016 from 127.0.0.1
[p-rakeshpillai@prod1-admintools-1c :~] date
Sat Jul 30 08:09:18 UTC 2016


For the ipa_hostname entry in sssd.conf, that gets auto populated entered
everytime I run ipa-client-install .

I run the below command to setup ipa client

ipa-client-install --domain=xyz.xom --server=ipa-master-int.xyz.xom
--realm=xyz.xom -p admin --password=mypass--mkhomedir --hostname=10.65.16.4
--no-ssh --no-sshd -N -f -U

Notice that, In the hostname argument, I am passing the IP address. Hope
thats fine, its actually working fine on around 2000+ servers in my
environment.

I had earlier tried with servername.domain ( qa-test1.yyz.com as the
hostname ) and my servers hostname would get changed to  qa-test1.yyz.com .
However, we do our deployments on glassfish and glassfish somehow started
having issue everytime we restart glassfish ( not an expert with glassfish
) so not sure whats wrong there.

With this approach , my hostname is now my ipaddress and  things are
working fine both at galssfish and IPA side.
But just want to confirm its ok to do that


Thanks,
Rakesh






On Fri, Jul 29, 2016 at 5:10 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Tue, Jul 26, 2016 at 06:07:10PM +0530, Rakesh Rajasekharan wrote:
> > > Any change that it's running on a VM? If so, check your entropy:
> >
> > > cat /proc/sys/kernel/random/entropy_avail
> >
> > > If it's low (like < 1k), install haveged.
> >
> > this indeed is vm , am running it on azure . However, I have a similar
> set
> > up running on aws which works completely fine
>
> Sorry about the delay in replying..
>
> >
> > The entropy was low, around 180, I installed haveged and now its above 3k
> > cat /proc/sys/kernel/random/entropy_avail
> > 3178
> >
> > The timing though is still the same around 19s
>
> I have some comments inline about the config and logs.
>
> >
> > @jakub, i am reattaching the logs.
> >
> > The dns resoltion seems fast when I check using dig
> >
> > below is my sssd.conf
> > [domain/xyz.com]
> > selinux_provider=none
> > krb5_auth_timeout = 20
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = xyz.com
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > ipa_hostname = 10.65.16.4
>
> The ipa_hostname value is wrong. It's meant for systems where hostname
> reports a different name that what is the name the host is registered as
> in IPA. Including an IP address there doesn't make much sense.
>
> > chpass_provider = ipa
> > ipa_server = ipa-master-in.xyz.com
> > dns_discovery_domain = xyz.com
> > ignore_group_members=True
> > ldap_purge_cache_timeout = 0
> > debug_level=8
> > [sssd]
> > services = nss, sudo, pam, ssh
> > config_file_version = 2
> >
> > domains = xyz.com
> > [nss]
> > homedir_substring = /home
> >
> > [pam]
> > pam_id_timeout = 3
> >
> > [sudo]
> >
> > [autofs]
> >
> > [ssh]
> >
> > [pac]
> >
> > [ifp]
> >
> >
> >
> > And here is the login times and logs
> >
> > [root@ipa-client-1 :~] date;ssh testuser@localhost
> > Tue Jul 26 12:06:37 UTC 2016
> > testuser@localhost's password:
> > Last login: Tue Jul 26 12:03:53 2016 from 127.0.0.1
> > [testuser@ipa-client-1 :~] date
> > Tue Jul 26 12:06:55 UTC 2016
> >
> >
> > sssd_domain logs
> >
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_message_handler]
> > (0x2000): Received SBUS method
> > org.freedesktop.sssd.dataprovider.getAccountInfo on path
> > /org/freedesktop/sssd/dataprovider
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send]
> > (0x2000): Not a sysbus message, quit
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_get_account_info]
> > (0x0200): Got request for [0x3][1][name=testuser]
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain]
> > (0x0400): Changing request domain from [xyz.com] to [xyz.com]
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]]
> > [sdap_

[Freeipa-users] ipa restore from backup on another host

[Rakesh Rajasekharan]

Hi,

I would like to restore IPA from a backup taken on another host.

My use case is to create a new QA environment and dont want to go over the
process of recreating all the users.

I tried to restore IPA from the backup taken in my first environment . But,
that failed with hostname difference issues.

Is there a way to get this working.



Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

[Rakesh Rajasekharan]

thanks for the inputs..

the issue was with my network,

I was able to resolve it adding in the NETWORKING_IPV6=no  in
/etc/sysconfig/network


possibly it was using IPv6 resolution and that was failing


On Thu, Jul 28, 2016 at 1:37 PM, Petr Spacek <pspa...@redhat.com> wrote:

> On 27.7.2016 19:29, Rakesh Rajasekharan wrote:
> > Hi,
> >
> > I am running ipa server 4.2 and set it up without using "--setup-dns=no".
> >
> > On few clients the installation fails with the below error message.
> >
> >
> > I verified that the ipa master dns is resolvable. Not sure what could be
> > wrong here..
> >
> >
> > Joining realm failed: libcurl failed to execute the HTTP POST
> transaction,
> > explaining:  Could not resolve host: ipa-master-in.xyz.com; Unknown
> error
> >
> > Use ipa-getkeytab to obtain a host principal for this server.
> > Please make sure the following ports are opened in the firewall settings:
> >  TCP: 80, 88, 389
> >  UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> > Also note that following ports are necessary for ipa-client working
> > properly after enrollment:
> >  TCP: 464
> >  UDP: 464, 123 (if NTP enabled)
> > Failed to obtain host TGT: (-1765328203, 'Key table entry not found')
> > Installation failed. Force set so not rolling back changes.
> >
> >
> > I tried removeing /etc/ipa/ca.crt and delete any older certificates
> > "certutil -D -n 'IPA CA' -d /etc/pki/nssdb"
> >
> > However, no luck yet..
> >
> > any suggestions on how can I debug this..
>
> I would start with command:
> $ dig ipa-master-in.xyz.com
>
> It should print IPv4 address of the server ipa-master-in.xyz.com . If it
> does
> not print it there is a problem with DNS. In that case usual DNS debugging
> guides apply.
>
> I hope it helps.
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

[Rakesh Rajasekharan]

Hi,

I am running ipa server 4.2 and set it up without using "--setup-dns=no".

On few clients the installation fails with the below error message.


I verified that the ipa master dns is resolvable. Not sure what could be
wrong here..


Joining realm failed: libcurl failed to execute the HTTP POST transaction,
explaining:  Could not resolve host: ipa-master-in.xyz.com; Unknown error

Use ipa-getkeytab to obtain a host principal for this server.
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: (-1765328203, 'Key table entry not found')
Installation failed. Force set so not rolling back changes.


I tried removeing /etc/ipa/ca.crt and delete any older certificates
"certutil -D -n 'IPA CA' -d /etc/pki/nssdb"

However, no luck yet..

any suggestions on how can I debug this..

Thanks
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd shows deleted users as well

[Rakesh Rajasekharan]

under the "configure global security part" of jenkins, we can specify how
jenkins will fetch users for authentication. One option is
"Unix user/group database" . wherein, it will do a getent passwd and fetch
users from there.
Other is to specify ldap.
There are few other ways as well but haven't explored it yet.

Thanks
Rakesh


On Fri, Jul 22, 2016 at 6:54 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote:
> > My specific requirement for having "enumerate=TRUE" was , we have a build
> > server with the jenkins set up.
> > And for authentication jenkins tries to get the localusers on the system.
>
> I'm not sure what you mean by localusers, but does Jenkins really use
> some sort of interface that lists all users through the system
> interface? IIRC Jenkins is written in Java, so I would expect some
> native Java connector instead..
>
> >
> > I should be able to get through that by configuring Jenkins to use LDAP
> > instead of the local users.
> >
> > But  are there any other reasons for recommending against
> "enumerate=TRUE",
> > i recall reading somewhere as well not to use this specific setting.
>
> - performance
> - in general (because it's not the default and few people use
>   enumeration), less tested than the defaul
> - idviews don't work
> - trusted AD users can't be enumerated at all
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset

[Rakesh Rajasekharan]

Hi,

I am running a freeipa server 4.2.x.

I have the following password global password policy set to force a history
of 3

ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8
--maxfail=3 --failinterval=300


This works good when the user himself changes the password.. and IPA does
not allow reusing older password.

However, if the admin resets it "ipa user-mod testuser --random" then it
seems to reset the password history as well and the user can now re-use his
older password

Is this expected or is there something I can do about it.

Also, is there a way to get the password expiry warning at the terminal
when a user logs in , something similar to the "pwdExpireWarning" in ldap.

I searched a bit and could only find setting up email alerts .


Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client password authentication failed

[Rakesh Rajasekharan]

somehow, i am no longer facing this issue.. the only change I did was,
corrected the /etc/openldap/ldap.conf file to point to the ipa master dns
rather than the older ldap dns.
the file had "#File modified by ipa-client-install" but it did not change
the ldap dns and still pointed to older entry. I jsut corrected it and
restarted sssd.

It though did not work initially after changing , however, I am no longer
facing that issue now.  may be it was a caching issue

Thanks,
Rakesh

On Sun, Apr 24, 2016 at 5:01 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

>
> > On 22 Apr 2016, at 19:21, Rakesh Rajasekharan <
> rakesh.rajasekha...@gmail.com> wrote:
> >
> > Hi Jakub
> >
> >
> > the child only had that much info..
> >
> > from the domain logs. it looks that it was able to resolve the master .
> However, the ldap results say found nothing.
> >
> > I was earlier running an openldap client on this host and then migrated
> to IPA.
> >
> > /etc/openldap/ldap.conf  was still pointing to the older ldap master..
> >
> > #File modified by ipa-client-install
> >
> > URI ldaps://older-ldap-master.com:636/
> > BASE dc=xyz,dc=com
> > TLS_CACERT /etc/ipa/ca.crt
> >
> > TLS_CACERTDIR /etc/openldap/cacerts]
> >
> > I corrected that to point to IPA and noticed that getent passwd now
> successfully lists all the users.
> > However, the authentication does not work yet. ( ldapsearch -x though
> shows all the users ).
> >
> > I re-tested it now...
> > below is the domain log
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): start
> ldb transaction (nesting: 3)
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added
> timed event "ltdb_callback": 0x118fab0
> >
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added
> timed event "ltdb_timeout": 0x11925f0
> >
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Running
> timer event 0x118fab0 "ltdb_callback"
> >
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000):
> Destroying timer event 0x11925f0 "ltdb_timeout"
> >
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Ending
> timer event 0x118fab0 "ltdb_callback"
> >
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): cancel
> ldb transaction (nesting: 3)
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit
> ldb transaction (nesting: 2)
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit
> ldb transaction (nesting: 1)
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_save_users]
> (0x4000): User 0 processed!
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit
> ldb transaction (nesting: 0)
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_get_users_done]
> (0x4000): Saving 1 Users - Done
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_id_op_done]
> (0x4000): releasing operation connection
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added
> timed event "ltdb_callback": 0x118fd20
> >
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added
> timed event "ltdb_timeout": 0x1182770
> >
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Running
> timer event 0x118fd20 "ltdb_callback"
> >
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000):
> Destroying timer event 0x1182770 "ltdb_timeout"
> >
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Ending
> timer event 0x118fd20 "ltdb_callback"
> >
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]]
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]]
> [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in
> view [Default Trust View] with filter
> [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:8
> c7e86dc-0536-11e6-94f8-0e49bd988575))].
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_print_server]
> (0x2000): Searching 10.0.4.175
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:8c7e86dc-0536-11e6-94f8-0e49bd988575))][cn=Default
> Trust View,cn=views,cn=accounts,dc=xyz,dc=com].
> > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]]
> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 105
> &

[Freeipa-users] ipa-client password authentication failed

[Rakesh Rajasekharan]

Hi There,

I have successfully set up and running freeipa in my environment.

I am running a freeipa master 4.2.x and my ipa clients are at 3.0.0-47

This set up works fine for majority of servers. But just on one host I am
unable to authenticate the users.

it gives me password denied

Below is the error from /var/log/secure

Apr 22 14:25:26 localhost sshd[18785]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.13
user=q-testuser
Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.213
user=q-testuser
Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): received for
user q-testuser: 4 (System error)


and in my krb5_child.log, i see the below lines,
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x0400):
krb5_child started.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer]
(0x1000): total buffer size: [171]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer]
(0x0100): cmd [241] uid [114201] gid [114201] validate [true]
enterprise principal [false] offline [false] UPN [q-testu...@xyz.com]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_114201_XX] old_ccname:
[FILE:/tmp/krb5cc_114201_RjJBN2] keytab: [/etc/krb5.keytab]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [switch_creds]
(0x0200): Switch user to [114201][114201].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [switch_creds]
(0x0200): Switch user to [0][0].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[k5c_check_old_ccache] (0x4000): Ccache_file is
[FILE:/tmp/krb5cc_114201_RjJBN2] and is not active and TGT is  valid.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[k5c_precreate_ccache] (0x4000): Recreating ccache
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.2.2...@xyz.com]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[find_principal_in_keytab] (0x4000): Trying to find principal host/
10.2.2...@xyz.com in keytab.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [match_principal]
(0x1000): Principal matched to the sample (host/10.2.2...@xyz.com).
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [become_user]
(0x0200): Trying to become user [114201][114201].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x2000):
Running as [114201][114201].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [k5c_setup]
(0x2000): Running as [114201][114201].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x0400):
Will perform online auth
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [tgt_req_child]
(0x1000): Attempting to get a TGT
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [get_and_save_tgt]
(0x0400): Attempting kinit for realm [XYZ.COM]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127643: Getting
initial credentials for q-testu...@xyz.com

(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127715: FAST armor
ccache: MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM

(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127767: Retrieving
host/10.2.2...@xyz.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/XYZ.COM
\@XYZ.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM with
result: -1765328243/Matching credential not found

(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127832: Sending
request (185 bytes) to XYZ.COM

(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.128056: Initiating
TCP connection to stream 10.0.4.175:88

(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.129419: Sending TCP
request to stream 10.
krb5_child.log (END)


can someone please advice , what seems to go wrong here.


Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:

[Freeipa-users] freeipa restore backup on a new server

[Rakesh Rajasekharan]

Hi ,

I am running ipa-server verison 4.2 on AWS,and testing the freeipa backup
and restore .

The restoration works fine if its on the same host, wherin i uninstall
freeipa and then install it back and then do a full restore.

However, if its a new machine with a different ip, the restoration fails.

I am running the restoration from an ansible playbook.. heres the output,
that I get

Preparing restore from /tmp/ipa/ipa-full-2016-04-12 on
test-ipa-master-int.xyz.com
Performing FULL restore from FULL backup
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Stopping IPA services
Systemwide CA database updated.
Restoring files
Systemwide CA database updated.
Restoring from userRoot in xyz-COM
Restoring from ipaca in xyz-COM
Starting IPA services
Command ''ipactl' 'start'' returned non-zero exit status 1
stdout: Configuring certmonger to stop tracking system certificates for CA

Is there a limitation that the ip needs to be the same for a restore to
happen or am I missing something.

Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to authenticate using freeipa client

[Rakesh Rajasekharan]

yes the space was indeed the culprit... i cleaned up some and login works
fine now..

Thanks !!

On Tue, Mar 15, 2016 at 1:55 PM, Sumit Bose <sb...@redhat.com> wrote:

> On Mon, Mar 14, 2016 at 05:50:34PM +0530, Rakesh Rajasekharan wrote:
> > I set up freeipa in my environment and works perfectly.
> >
> > But just on one host , I am not able to authenticate. I get a permission
> > denied eror.
> >
> > The sssd version I have is 1.12
> >
> > the krb5_child log does point to some error,
> > krb5_child.log
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer]
> > (0x2000): No old ccache
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer]
> > (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XX] old_ccname: [not set]
> > keytab: [/etc/krb5.keytab]
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862
> > [k5c_precreate_ccache] (0x4000): Recreating ccache
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [k5c_setup_fast]
> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1@test.com]
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862
> > [find_principal_in_keytab] (0x4000): Trying to find principal host/
> > 1.1@test.com in keytab.
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [match_principal]
> > (0x1000): Principal matched to the sample (host/1.1@test.com).
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [get_tgt_times]
> > (0x1000): FAST ccache must be recreated
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user]
> > (0x0200): Trying to become user [0][0].
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user]
> > (0x0200): Already user [0].
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864
> [check_fast_ccache]
> > (0x2000): Running as [0][0].
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864
> > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
> [true]
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864 [create_ccache]
> > (0x4000): Initializing ccache of type [FILE]
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [check_fast_ccache]
> > (0x0200): FAST TGT was successfully recreated!
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [become_user]
> > (0x0200): Trying to become user [5102][701].
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x2000):
> > Running as [5102][701].
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [k5c_setup]
> > (0x2000): Running as [5102][701].
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [set_lifetime_options] (0x0100): Cannot read
> [SSSD_KRB5_RENEWABLE_LIFETIME]
> > from environment.
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> > environment.
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
> [true]
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x0400):
> > Will perform online auth
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [tgt_req_child]
> > (0x1000): Attempting to get a TGT
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [get_and_save_tgt]
> > (0x0400): Attempting kinit for realm [TEST.COM]
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting
> > initial credentials for q-tempu...@test.com
> >
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor
> > ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM
> >
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving
> > host/1.1@test.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/
> TEST.COM
> > \@TEST.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM
> > with result: -1765328243/Matching credential not found
> >
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18545: Sending
> > request (189 bytes) to TEST.COM
> >
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.187.36: Initiating
> > TCP connection to stre
> > (END)
>
> Does the krb5_child.log really ends h

Re: [Freeipa-users] unable to authenticate using freeipa client

[Rakesh Rajasekharan]

For the error in the krb5_child.log
(Tue Mar 15 04:35:51 2016) [[sssd[krb5_child[13708
[sss_child_krb5_trace_cb] (0x4000): [13708] 1458016551.87210: Received
error from KDC: -1765328359/Additional pre-authentication required

I deleted the sssd cache as well as the /tmp/krb5* and restarted sssd ,
still the issue persists.

Another error that I see is in /var/log/secure

Mar 14 21:35:51 ip-1-1-1-1 sshd[13705]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
user=q-tempuser
Mar 14 21:35:51 ip-1-1-1-1 sshd[13705]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
user=q-tempuser
Mar 14 21:35:51 ip-1-1-1-1 sshd[13705]: pam_sss(sshd:auth): received for
user q-tempuser: 4 (System error)

I have "UsePAM yes" and "GSSAPIAuthentication yes" in sshd_config.

so not sure whats causing this..

I tried uninstalling and installing back the client as well but did not
help..

Anything else that I might be missing out..

Thanks,
Rakesh




On Mon, Mar 14, 2016 at 5:50 PM, Rakesh Rajasekharan <
rakesh.rajasekha...@gmail.com> wrote:

> I set up freeipa in my environment and works perfectly.
>
> But just on one host , I am not able to authenticate. I get a permission
> denied eror.
>
> The sssd version I have is 1.12
>
> the krb5_child log does point to some error,
> krb5_child.log
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer]
> (0x2000): No old ccache
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XX] old_ccname: [not set]
> keytab: [/etc/krb5.keytab]
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862
> [k5c_precreate_ccache] (0x4000): Recreating ccache
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1@test.com]
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862
> [find_principal_in_keytab] (0x4000): Trying to find principal host/
> 1.1@test.com in keytab.
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [match_principal]
> (0x1000): Principal matched to the sample (host/1.1@test.com).
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [get_tgt_times]
> (0x1000): FAST ccache must be recreated
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user]
> (0x0200): Trying to become user [0][0].
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user]
> (0x0200): Already user [0].
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [check_fast_ccache]
> (0x2000): Running as [0][0].
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864 [create_ccache]
> (0x4000): Initializing ccache of type [FILE]
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [check_fast_ccache]
> (0x0200): FAST TGT was successfully recreated!
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [become_user]
> (0x0200): Trying to become user [5102][701].
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x2000):
> Running as [5102][701].
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [k5c_setup]
> (0x2000): Running as [5102][701].
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x0400):
> Will perform online auth
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [TEST.COM]
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting
> initial credentials for q-tempu...@test.com
>
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor
> ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM
>
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving
> host/1.1@test.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.COM
> \@TEST.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_c

[Freeipa-users] unable to authenticate using freeipa client

[Rakesh Rajasekharan]

I set up freeipa in my environment and works perfectly.

But just on one host , I am not able to authenticate. I get a permission
denied eror.

The sssd version I have is 1.12

the krb5_child log does point to some error,
krb5_child.log
(Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer]
(0x2000): No old ccache
(Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_5102_XX] old_ccname: [not set]
keytab: [/etc/krb5.keytab]
(Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862
[k5c_precreate_ccache] (0x4000): Recreating ccache
(Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1@test.com]
(Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862
[find_principal_in_keytab] (0x4000): Trying to find principal host/
1.1@test.com in keytab.
(Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [match_principal]
(0x1000): Principal matched to the sample (host/1.1@test.com).
(Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [get_tgt_times]
(0x1000): FAST ccache must be recreated
(Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user]
(0x0200): Trying to become user [0][0].
(Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user]
(0x0200): Already user [0].
(Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [check_fast_ccache]
(0x2000): Running as [0][0].
(Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864 [create_ccache]
(0x4000): Initializing ccache of type [FILE]
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [check_fast_ccache]
(0x0200): FAST TGT was successfully recreated!
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [become_user]
(0x0200): Trying to become user [5102][701].
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x2000):
Running as [5102][701].
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [k5c_setup]
(0x2000): Running as [5102][701].
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x0400):
Will perform online auth
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [tgt_req_child]
(0x1000): Attempting to get a TGT
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [get_and_save_tgt]
(0x0400): Attempting kinit for realm [TEST.COM]
(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
[sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting
initial credentials for q-tempu...@test.com

(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
[sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor
ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM

(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
[sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving
host/1.1@test.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.COM
\@TEST.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM
with result: -1765328243/Matching credential not found

(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
[sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18545: Sending
request (189 bytes) to TEST.COM

(Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
[sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.187.36: Initiating
TCP connection to stre
(END)


And here are the contents from sssd_domain.log
sssd_test.com
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
domain: test.com
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
user: q-tempuser
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
service: sshd
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
tty: ssh
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
ruser:
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
rhost: 127.0.0.1
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
authtok type: 1
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
priv: 1
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
cli_pid: 11794
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
logon name: not set
(Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Added 

[Freeipa-users] version compatibility between server and client

[Rakesh Rajasekharan]

Hi!,

I had successfully set up ipa in our qa environment, but since we are
running cenots 6, i just got 3.0.25 version of IPA.

I wanted to try out the latest 4.x version, for server by using a centos 7
OS. But have few questions regarding that

Will there be compatibility issues, if I use a server at 4.x and clients at
3.0.25

Another question is,
>From the documentation, I see that theres an option to manually configure a
client where in we do not have to install freeipa-client using
ipa-client-install

https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/linux-manual.html

So that way , I can install the latest version of freeipa server and make
my clients also be able to use the latest verison without actually
installing it.

But, are there any issues with this approach, and how does it differ from
doing a ipa-client-install on the client machine.

Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa permission denied for user

[Rakesh Rajasekharan]

>>Actually, it should be 1777

> sh$ ls -ld /tmp/
> drwxrwxrwt. 11 root root 260 Feb 19 10:27 /tmp/
 ^
  >   This is important.>

yes, I have now corrected them... Thanks...



On Fri, Feb 19, 2016 at 2:59 PM, Lukas Slebodnik <lsleb...@redhat.com>
wrote:

> On (19/02/16 14:54), Rakesh Rajasekharan wrote:
> >>
> >>This usually mean critical error in sssd.
> >> Please provide log files (sssd_$domain.log and krb5_child.log)
> >
> >I found this in my sssd-$domain.log
> >
> > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user
> >[tempuser] found
> >
> >so searching around I found that the permissions for the /tmp directory
> >should be 777..
> >
> >setting it to 777 fixed the issue for me..
> >
> Actually, it should be 1777
>
> sh$ ls -ld /tmp/
> drwxrwxrwt. 11 root root 260 Feb 19 10:27 /tmp/
>  ^
> This is important.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa permission denied for user

[Rakesh Rajasekharan]

>
>This usually mean critical error in sssd.
> Please provide log files (sssd_$domain.log and krb5_child.log)

I found this in my sssd-$domain.log

 [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user
[tempuser] found

so searching around I found that the permissions for the /tmp directory
should be 777..

setting it to 777 fixed the issue for me..



Thanks,
Rakesh



On Fri, Feb 19, 2016 at 1:08 PM, Lukas Slebodnik <lsleb...@redhat.com>
wrote:

> On (18/02/16 18:41), Rakesh Rajasekharan wrote:
> >I set up freeipa on our environment and its works perfectly for most of
> the
> >hosts.. but on few I am getting a permission denied.
> >
> >[root@ipa-client-1c :~] ssh tempuser@localhost
> >tempuser@localhost's password:
> >Permission denied, please try again.
> >tempuser@localhost's password:
> >
> >
> >
> >
> >I checked the hbac, but that seems to be fine
> >
> >root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x
> >--service=sshd
> >
> >Access granted: True
> >
> >  Matched rules: allow_all
> >
> >
> >Another thing I noticed is the nsswitch.conf had the below entries after
> >the freeipa installation
> >passwd: files sss ldap
> >shadow: files sss ldap
> >group:  files sss ldap
> >
> >hosts:  files dns
> >
> >
> >bootparams: nisplus [NOTFOUND=return] files
> >
> >ethers: files
> >netmasks:   files
> >networks:   files
> >protocols:  files
> >rpc:files
> >services:   files sss
> >
> >netgroup:   files sss ldap
> >
> >publickey:  nisplus
> >
> >automount:  files ldap
> >aliases:files nisplus
> >
> >sudoers: files sss
> >
> >
> >The ldap shouldn't be there above I guess..
> >
> >and from the logs, i have the below errors
> >
> >==> /var/log/secure <==
> >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth):
> authentication
> >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=tempuser
> >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication
> >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
> >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for
> >user tempuser: 4 (System error)
> 
> This usually mean critical error in sssd.
> Please provide log files (sssd_$domain.log and krb5_child.log)
> with high debug level.
> https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> Whis version of sssd do you have?
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa permission denied for user

[Rakesh Rajasekharan]

The permission for /etc/krb5.conf was already set to 644. So, that aspect
looks fine..

I think it might be something to do with the pam settings.


here is my sssd.conf
[root@ipa-client :/etc/sssd] cat sssd.con
[domain/xyz.com]
krb5_auth_timeout = 30

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = xyz.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = x.x.x.x
chpass_provider = ipa
ipa_server = _srv_, ipa-master.xyz.com
dns_discovery_domain = xyz.com
[domain/default]

ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldap,dc=qa,dc=xyz,dc=com
krb5_realm = xyz.com
krb5_server = ipa-master.xyz.com:88
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap-int.xyz.com:636
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = default, xyz.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]



Thanks,
Rakesh

On Thu, Feb 18, 2016 at 6:52 PM, Martin Kosek <mko...@redhat.com> wrote:

> On 02/18/2016 02:11 PM, Rakesh Rajasekharan wrote:
> > I set up freeipa on our environment and its works perfectly for most of
> the
> > hosts.. but on few I am getting a permission denied.
> >
> > [root@ipa-client-1c :~] ssh tempuser@localhost
> > tempuser@localhost's password:
> > Permission denied, please try again.
> > tempuser@localhost's password:
> >
> >
> >
> >
> > I checked the hbac, but that seems to be fine
> >
> > root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x
> > --service=sshd
> > 
> > Access granted: True
> > 
> >   Matched rules: allow_all
> >
> >
> > Another thing I noticed is the nsswitch.conf had the below entries after
> > the freeipa installation
> > passwd: files sss ldap
> > shadow: files sss ldap
> > group:  files sss ldap
> >
> > hosts:  files dns
> >
> >
> > bootparams: nisplus [NOTFOUND=return] files
> >
> > ethers: files
> > netmasks:   files
> > networks:   files
> > protocols:  files
> > rpc:files
> > services:   files sss
> >
> > netgroup:   files sss ldap
> >
> > publickey:  nisplus
> >
> > automount:  files ldap
> > aliases:files nisplus
> >
> > sudoers: files sss
> >
> >
> > The ldap shouldn't be there above I guess..
> >
> > and from the logs, i have the below errors
> >
> > ==> /var/log/secure <==
> > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth):
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
> user=tempuser
> > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth):
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
> > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for
> > user tempuser: 4 (System error)
> > Feb 18 03:29:35 ip-x-x-x-x sshd[24851]: Failed password for tempuser from
> > x.x.x.x port 36687 ssh2
> > Feb 18 03:29:39 ip-x-x-x-x sshd[24853]: Connection closed by x.x.x.x
> > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_unix(sshd:auth):
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
> user=tempuser
> > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth):
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
> user=tempuser
> > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): received for
> > user tempuser: 4 (System error)
> > Feb 18 03:34:19 ip-x-x-x-x sshd[25108]: Failed password for tempuser from
> > 127.0.0.1 port 59870 ssh2
> >
> >
> > ==> /var/log/messages <==
> > Feb 18 03:37:45 ip-x-x-x-x sssd[be[xyz.com]]: Shutting down
> > Feb 18 03:37:45 ip-x-x-x-x sssd: Starting up
> > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: Starting up
> > Feb 18 03:37:46 ip-x-x-x-x sssd[nss]: Starting up
> > Feb 18 03:37:46 ip-x-x-x-x sssd[sudo]: Starting up
> > Feb 18 03:37:46 ip-x-x-x-x sssd[pam]: Starting up
> > Feb 18 03:37:46 ip-x-x-x-x sssd[pac]: Starting up
> > Feb 18 03:37:46 ip-x-x-x-x sssd[ssh]: Starting up
> > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing
> failed
> > : Input/output error
> > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing
> failed
> > : Input/output error
> > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied
> > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied
>
> Could it be caused by /etc/krb5.conf permissions as here:
> https://lists.fedorahosted.org/pipermail/sssd-users/2014-August/002103.html
> ?
>
> Some advise is also here:
>
> http://serverfault.com/questions/697113/linux-ad-integration-unable-to-login-when-using-windows-server-2012-dc
>
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa permission denied for user

[Rakesh Rajasekharan]

I set up freeipa on our environment and its works perfectly for most of the
hosts.. but on few I am getting a permission denied.

[root@ipa-client-1c :~] ssh tempuser@localhost
tempuser@localhost's password:
Permission denied, please try again.
tempuser@localhost's password:




I checked the hbac, but that seems to be fine

root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x
--service=sshd

Access granted: True

  Matched rules: allow_all


Another thing I noticed is the nsswitch.conf had the below entries after
the freeipa installation
passwd: files sss ldap
shadow: files sss ldap
group:  files sss ldap

hosts:  files dns


bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss

netgroup:   files sss ldap

publickey:  nisplus

automount:  files ldap
aliases:files nisplus

sudoers: files sss


The ldap shouldn't be there above I guess..

and from the logs, i have the below errors

==> /var/log/secure <==
Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=tempuser
Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for
user tempuser: 4 (System error)
Feb 18 03:29:35 ip-x-x-x-x sshd[24851]: Failed password for tempuser from
x.x.x.x port 36687 ssh2
Feb 18 03:29:39 ip-x-x-x-x sshd[24853]: Connection closed by x.x.x.x
Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1  user=tempuser
Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser
Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): received for
user tempuser: 4 (System error)
Feb 18 03:34:19 ip-x-x-x-x sshd[25108]: Failed password for tempuser from
127.0.0.1 port 59870 ssh2


==> /var/log/messages <==
Feb 18 03:37:45 ip-x-x-x-x sssd[be[xyz.com]]: Shutting down
Feb 18 03:37:45 ip-x-x-x-x sssd: Starting up
Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: Starting up
Feb 18 03:37:46 ip-x-x-x-x sssd[nss]: Starting up
Feb 18 03:37:46 ip-x-x-x-x sssd[sudo]: Starting up
Feb 18 03:37:46 ip-x-x-x-x sssd[pam]: Starting up
Feb 18 03:37:46 ip-x-x-x-x sssd[pac]: Starting up
Feb 18 03:37:46 ip-x-x-x-x sssd[ssh]: Starting up
Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed
: Input/output error
Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed
: Input/output error
Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied
Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Connection closed by UNKNOWN

[Rakesh Rajasekharan]

>Why is both pam_ldap and pam_sss in the PAM stack? This seems a bit
>wrong..
This was the pointer... there was a prior installation of openldap and the
entries for ldap were still there ..

authsufficientpam_ldap.so use_first_pass

account [default=bad success=ok user_unknown=ignore] pam_ldap.so

passwordsufficientpam_ldap.so use_authtok

session optional  pam_ldap.so


I removed it and everything works perfectly...

Thanks!!

On Mon, Feb 15, 2016 at 9:16 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Mon, Feb 15, 2016 at 06:59:57PM +0530, Rakesh Rajasekharan wrote:
> > this is what I have in /var/log/secure
> >
> > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_unix(sshd:auth): authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
> user=tempuser
> > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_sss(sshd:auth): authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
> > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_sss(sshd:auth): received for
> user
> > tempuser: 7 (Authentication failure)
> > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: ldap_simple_bind Can't
> > contact LDAP server
> > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: reconnecting to LDAP
> > server...
> > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: ldap_simple_bind Can't
> > contact LDAP server
>
> Why is both pam_ldap and pam_sss in the PAM stack? This seems a bit
> wrong..
>
> > Feb 15 12:22:35 ipa-xyz sshd[13499]: Failed password for tempuser from
> > x.x.x.x port 34318 ssh2
> > Feb 15 12:22:37 ipa-xyz sshd[13500]: Connection closed by x.x.x.x
> > Feb 15 12:31:32 ipa-xyz sshd[13859]: Accepted publickey for root from
> > x.x.x.x port 56275 ssh2
> > Feb 15 12:31:32 ipa-xyz sshd[13859]: pam_unix(sshd:session): session
> opened
> > for user root by (uid=0)
> > Feb 15 13:01:32 ipa-xyz sshd[13859]: Received disconnect from x.x.x.x:
> 11:
> > disconnected by user
> >
> > but both 389 and 636 ports are listening
> > # ] netstat -tunlp |grep 636
> > tcp0  0 :::636  :::*
> > LISTEN  9564/ns-slapd
> >
> > #] netstat -tunlp |grep 389
> > tcp0  0 :::7389 :::*
> > LISTEN  9495/ns-slapd
> > tcp0  0 :::389  :::*
> > LISTEN  9564/ns-slapd
> >
> >
> > And from /var/log/sssd/sssd_xyz.com.log
> >
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > command: PAM_AUTHENTICATE
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > domain: xyz.com
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > user: tempuser
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > service: sshd
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > tty: ssh
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > ruser:
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > rhost: x.x.x.x
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > authtok type: 1
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > newauthtok type: 0
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > priv: 1
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > cli_pid: 13499
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data]
> (0x0100):
> > logon name: not set
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]]
> > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user
> > [tempuser] found.
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send]
> > (0x0100): Trying to resolve service 'IPA'
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_server_status]
> > (0x1000): Status of server 'ipa.xyz.com' is 'working'
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_port_status]
> (0x1000):
> > Port status of port 0 for server 'ipa.xyz.com' is 'working'
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_server_status]
> > (0x1000): Status of server 'ipa.xyz.com' is 'working'
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]]
> [be_resolve_server_process]
> > (0x1000): Saving the first resolved server
> > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]]
> [be_resolve_server_process]
> >

Re: [Freeipa-users] Connection closed by UNKNOWN

[Rakesh Rajasekharan]

this is what I have in /var/log/secure

Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=tempuser
Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_sss(sshd:auth): received for user
tempuser: 7 (Authentication failure)
Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: reconnecting to LDAP
server...
Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Feb 15 12:22:35 ipa-xyz sshd[13499]: Failed password for tempuser from
x.x.x.x port 34318 ssh2
Feb 15 12:22:37 ipa-xyz sshd[13500]: Connection closed by x.x.x.x
Feb 15 12:31:32 ipa-xyz sshd[13859]: Accepted publickey for root from
x.x.x.x port 56275 ssh2
Feb 15 12:31:32 ipa-xyz sshd[13859]: pam_unix(sshd:session): session opened
for user root by (uid=0)
Feb 15 13:01:32 ipa-xyz sshd[13859]: Received disconnect from x.x.x.x: 11:
disconnected by user

but both 389 and 636 ports are listening
# ] netstat -tunlp |grep 636
tcp0  0 :::636  :::*
LISTEN  9564/ns-slapd

#] netstat -tunlp |grep 389
tcp0  0 :::7389 :::*
LISTEN  9495/ns-slapd
tcp0  0 :::389  :::*
LISTEN  9564/ns-slapd


And from /var/log/sssd/sssd_xyz.com.log

(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
command: PAM_AUTHENTICATE
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
domain: xyz.com
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
user: tempuser
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
service: sshd
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
tty: ssh
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
ruser:
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
rhost: x.x.x.x
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
authtok type: 1
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
priv: 1
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
cli_pid: 13499
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
logon name: not set
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]]
[krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user
[tempuser] found.
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_server_status]
(0x1000): Status of server 'ipa.xyz.com' is 'working'
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_port_status] (0x1000):
Port status of port 0 for server 'ipa.xyz.com' is 'working'
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_server_status]
(0x1000): Status of server 'ipa.xyz.com' is 'working'
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [be_resolve_server_process]
(0x1000): Saving the first resolved server
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [be_resolve_server_process]
(0x0200): Found address for server ipa.xyz.com: [x.x.x.x] TTL 7200
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [child_sig_handler]
(0x1000): Waiting for child [13501].
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [child_sig_handler]
(0x0100): child [13501] finished successfully.
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 7, ) [Success]
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback]
(0x0100): Sending result [7][xyz.com]
(Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback]
(0x0100): Sent result [7][xyz.com]



Thanks,
Rakesh


On Mon, Feb 15, 2016 at 3:45 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Mon, Feb 15, 2016 at 10:24:23AM +0530, Rakesh Rajasekharan wrote:
> > hbac seems to be fine
> >
> >
> > ipa hbactest --user=q-temp --host=x.x.x.x --service=sshd
> > 
> > Access granted: True
> > 
> >   Matched rules: allow_all
> >
> >
> > I see this in the sssd.log
> >
> > (Mon Feb 15 04:49:18 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000):
> > Checking negative cache for [NCE/USER/xyz.com/q-temp]
> > (Mon Feb 15 04:49:18 2016) [sssd[nss]] [nss_cmd_getpwnam_search]
> (0x0100):
> > Re

Re: [Freeipa-users] Connection closed by UNKNOWN

[Rakesh Rajasekharan]

hbac seems to be fine


ipa hbactest --user=q-temp --host=x.x.x.x --service=sshd

Access granted: True

  Matched rules: allow_all


I see this in the sssd.log

(Mon Feb 15 04:49:18 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/xyz.com/q-temp]
(Mon Feb 15 04:49:18 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [q-t...@xyz.com]
(Mon Feb 15 04:49:18 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry
is valid, returning..
(Mon Feb 15 04:49:18 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400):
Returning info for user [q-t...@xyz.com]
(Mon Feb 15 04:49:18 2016) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
(Mon Feb 15 04:49:18 2016) [sssd[nss]] [client_destructor] (0x2000):
Terminated client [0x23d2f80][20]
(Mon Feb 15 04:49:27 2016) [sssd[nss]] [sbus_get_sender_id_send] (0x2000):
Not a sysbus message, quit

On Sat, Feb 13, 2016 at 4:41 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Sat, Feb 13, 2016 at 07:38:16AM +0530, Rakesh Rajasekharan wrote:
> > I started up with freeipa and setup a server and a client
> >
> >
> > Now when I add a user and try logging in,
> > It successfully prompts for the password change and completes setting up
> > the new password.
> >
> > However, when I gain try to login with the new password, it gives me the
> > below error
> >
> > "Connection closed by UNKNOWN"
> >
> > In /var/log/secure , I see this
> >
> > fatal: Access denied for user t-temp by PAM account configuration.
> >
> > Any pointers, what I would have done wrong in the setup or if I would
> have
> > missed something.
>
> I would guess HBAC if that message comes from pam_sss.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Connection closed by UNKNOWN

[Rakesh Rajasekharan]

I started up with freeipa and setup a server and a client


Now when I add a user and try logging in,
It successfully prompts for the password change and completes setting up
the new password.

However, when I gain try to login with the new password, it gives me the
below error

"Connection closed by UNKNOWN"

In /var/log/secure , I see this

fatal: Access denied for user t-temp by PAM account configuration.

Any pointers, what I would have done wrong in the setup or if I would have
missed something.

Thanks.
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can I revert back the hostname on client

[Rakesh Rajasekharan]

What doesn't work?
We have glassfish running on few of the hosts. That refuses to restart
after the hostname change. ( However, looks like someone found a way out).
I did not face issues with that today. So, that I guess is pretty much
fixable.
Apart from that, At the moment we do not see any other issues.
The only issue I can think is incase you have your scripts/applications
referring to your machine with its host-names instead of IP wont that cause
a problem?

You can tell SSSD to use a different hostname instead of the one the host
actually uses.
See SSSD man pages for that.
You might also need to do a similar thing with krb5.conf by setting
dns_canonicalize_hostname and make sure your DNS can actually resolve the
short hostnames to FQDNs

Will give this a try.


On Wed, Jan 14, 2015 at 11:58 PM, Dmitri Pal d...@redhat.com wrote:

 On 01/14/2015 03:38 AM, Petr Spacek wrote:

 Hello,

 On 14.1.2015 06:13, Rakesh Rajasekharan wrote:

 Freeipa changes the hostname to FQDN. But in our exisitng set up that can
 cause issues .

 Could you be more specific? It would help if we had detailed bug reports
 about
 this but up to know everybody just said 'I need non-FQDN hostname' but
 did not
 add any details :-)

 What doesn't work?

  Can I revert back the hostname to previous value once the client
 installation is complete.

 You might see all sorts of breakages related to Kerberos, sorry.

  I am fine with server having a FQDN.

 You can tell SSSD to use a different hostname instead of the one the host
 actually uses.
 See SSSD man pages for that.
 You might also need to do a similar thing with krb5.conf by setting
 dns_canonicalize_hostname and make sure your DNS can actually resolve the
 short hostnames to FQDNs

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Can I revert back the hostname on client

[Rakesh Rajasekharan]

Hi,

Freeipa changes the hostname to FQDN. But in our exisitng set up that can
cause issues .

Can I revert back the hostname to previous value once the client
installation is complete.
I am fine with server having a FQDN.

Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

[Rakesh Rajasekharan]

Thanks, that worked.. users now able to get the password changed with any
issues...

Will do few more testing on this but at this point looks like that was the
issue

~Rakesh

On Tue, Jan 13, 2015 at 1:52 PM, Sumit Bose sb...@redhat.com wrote:

 On Tue, Jan 13, 2015 at 12:48:18PM +0530, Rakesh Rajasekharan wrote:
  Does it work for the same user from the client  if you reset password
 on
  the server, authenticate from the client and then force reset again on
 the
  server?
  When I force reset a user, he stil faces the same error token
  manipulation when tries to login to a client. However, when he tries
  getting into the server, he now gets prompted for the password change and
  is successfully able to get through.
 
  So, at this point we have a workaround though something seems not right
 at
  the clients.
  Can you add a new client and see whether it works there?
 
  Have you tried re-installing the client?
  Yes, I did try reinstalling but that did not help
 
 
  Sorry, I meant the full krb5_child.log ...
 
  This is how I get the logs in krb5_child.
 
  when a user tries to authenticate with the random password that I
 generated,
 
  WARNING: Your password has expired.
  You must change your password now and login again!
  Changing password for user hq-testuser.
  Current Password:
  New password:
  Retype new password:
  passwd: Authentication token manipulation erro
 
  And on the krb5_child.log, these are the entries
 
  (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [unpack_buffer]
  (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
  [/etc/krb5.keytab]
  (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
  [set_lifetime_options] (0x0100): Cannot read
 [SSSD_KRB5_RENEWABLE_LIFETIME]
  from environment.
  (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
  [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
  environment.
  (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
  [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
 [true]
  (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [k5c_setup_fast]
  (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
  qa-dummy-int.test@test.com]
  (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [match_principal]
  (0x1000): Principal matched to the sample (host/
  qa-dummy-int.test@test.com).
  (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
 [check_fast_ccache]
  (0x0200): FAST TGT is still valid.
  (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [main] (0x0400):
  Will perform password change
  (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child]
  (0x1000): Password change operation
  (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child]
  (0x0400): Attempting kinit for realm [TEST.COM]
 
 
  This does not go beyond this. however, when i attempt another login  ,
 the
  logs start moving from this point( the time stamp start from 6:54 AM)
 
  WARNING: Your password has expired.
  You must change your password now and login again!
  Changing password for user hq-testuser.
  Current Password:
  New password:
  Retype new password:
  passwd: Authentication token manipulation erro
 
  now the krb5_child.log adds following lines
 
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [main] (0x0400):
  krb5_child started.
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
  (0x1000): total buffer size: [134]TEST
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
  (0x0100): cmd [241] uid [71061] gid [71061] validate [true]
  enterprise principal [false] offline [false] UPN [hq-testu...@test.com]
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
  (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
  [/etc/krb5.keytab]
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
  [set_lifetime_options] (0x0100): Cannot read
 [SSSD_KRB5_RENEWABLE_LIFETIME]
  from environment.
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
  [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
  environment.
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
  [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
 [true]
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [k5c_setup_fast]
  (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
  qa-dummy-int.test@test.com]
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [match_principal]
  (0x1000): Principal matched to the sample (host/
  qa-dummy-int.test@test.com).
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
 [check_fast_ccache]
  (0x0200): FAST TGT is still valid.
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [main] (0x0400):
  Will perform online auth
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [tgt_req_child]
  (0x1000): Attempting to get a TGT
  (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514

Re: [Freeipa-users] freeipa authentication token manipulation error

[Rakesh Rajasekharan]

The sssd version is 1.11.6

The password does not get changed, whatever password gets generated by ipa
user-mod --random stays valid even after attempting the change.

krb5_child.log does not have any contents.

Thanks,
Rakesh

On Sun, Jan 11, 2015 at 9:01 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Sun, Jan 11, 2015 at 02:31:26PM +0530, Rakesh Rajasekharan wrote:
  Hi,
 
  I am having some issues with freeipa. Whenever  I change the password for
  any user,
  He is not able to change the password. and he gets error authentication
  token manipualtion error
 
  Changing password for user hq-testuser.
  Current Password:
  New password:
  Retype new password:
  passwd: Authentication token manipulation error
 
 
  I was able to get this running on another environment not sure whats went
  wrong here.
 
  I have migrated my exisitng users from openldap .
 
  Thanks,
  Rakesh

 What is the sssd version?

 Is the password changed despite the error (you can test with kinit and
 either the new or the old password) ?

 Increasing sssd log verbosity and checking krb5_child.log might help,
 too.

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

[Rakesh Rajasekharan]

This is what I get now a=in the krb5_child.log after setting the debug_level

Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
[/etc/krb5.keytab]
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
qa-dummy-int.test@test.com)]
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [match_principal]
(0x1000): Principal matched to the sample (host/
qa-dummy-int.test@test.com).
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [main] (0x0400):
Will perform password change
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child]
(0x1000): Password change operation
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child]
(0x0400): Attempting kinit for realm [TEST.COM]



On Mon, Jan 12, 2015 at 2:31 PM, Lukas Slebodnik lsleb...@redhat.com
wrote:

 On (12/01/15 14:12), Rakesh Rajasekharan wrote:
 The sssd version is 1.11.6
 
 The password does not get changed, whatever password gets generated by ipa
 user-mod --random stays valid even after attempting the change.
 
 krb5_child.log does not have any contents.
 The logging in sssd is dibsabled by default. You need to increase level of
 verbosity.

 Put debug_level = 7 into domain section and restart sssd.
 It is also possible to change debug level on the fly with comand line
 utility
 sss_debuglevel (part of pacakge sssd-tools)

 LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

[Rakesh Rajasekharan]

under /var/log/secure.. have this error
passwd: pam_sss(passwd:chauthtok): Password change failed for user
hq-testuser: 22 (Authentication token lock busy)

On Mon, Jan 12, 2015 at 3:25 PM, Rakesh Rajasekharan 
rakesh.rajasekha...@gmail.com wrote:

 This is what I get now a=in the krb5_child.log after setting the
 debug_level

 Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [unpack_buffer]
 (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
 [/etc/krb5.keytab]
 (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
 from environment.
 (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
 environment.
 (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
 (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [k5c_setup_fast]
 (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
 qa-dummy-int.test@test.com)]
 (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [match_principal]
 (0x1000): Principal matched to the sample (host/
 qa-dummy-int.test@test.com).
 (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [check_fast_ccache]
 (0x0200): FAST TGT is still valid.
 (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [main] (0x0400):
 Will perform password change
 (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child]
 (0x1000): Password change operation
 (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child]
 (0x0400): Attempting kinit for realm [TEST.COM]



 On Mon, Jan 12, 2015 at 2:31 PM, Lukas Slebodnik lsleb...@redhat.com
 wrote:

 On (12/01/15 14:12), Rakesh Rajasekharan wrote:
 The sssd version is 1.11.6
 
 The password does not get changed, whatever password gets generated by
 ipa
 user-mod --random stays valid even after attempting the change.
 
 krb5_child.log does not have any contents.
 The logging in sssd is dibsabled by default. You need to increase level of
 verbosity.

 Put debug_level = 7 into domain section and restart sssd.
 It is also possible to change debug level on the fly with comand line
 utility
 sss_debuglevel (part of pacakge sssd-tools)

 LS



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

[Rakesh Rajasekharan]

(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [main] (0x0400):
krb5_child started.
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [unpack_buffer]
(0x1000): total buffer size: [134]
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [unpack_buffer]
(0x0100): cmd [247] uid [71061] gid [71061] validate [true]
enterprise principal [false] offline [false] UPN [hq-testu...@test.com]
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
[/etc/krb5.keytab]
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
qa-dummy-int.test@test.com]
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [match_principal]
(0x1000): Principal matched to the sample (host/
qa-dummy-int.test@test.com).
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [main] (0x0400):
Will perform password change checks
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [changepw_child]
(0x1000): Password change operation
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [changepw_child]
(0x0400): Attempting kinit for realm [TEST.COM]
(Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595 [changepw_child]
(0x1000): Initial authentication for change password operation successful.
(Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595 [k5c_send_data]
(0x0200): Received error code 0
(Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595 [main] (0x0400):
krb5_child completed successfully
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [main] (0x0400):
krb5_child started.
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [unpack_buffer]
(0x1000): total buffer size: [153]
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [unpack_buffer]
(0x0100): cmd [246] uid [71061] gid [71061] validate [true]
enterprise principal [false] offline [false] UPN [hq-testu...@test.com]
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
[/etc/krb5.keytab]
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
qa-dummy-int.test@test.com]
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [match_principal]
(0x1000): Principal matched to the sample (host/
qa-dummy-int.test@test.com).
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [main] (0x0400):
Will perform password change
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [changepw_child]
(0x1000): Password change operation
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [changepw_child]
(0x0400): Attempting kinit for realm [TEST.COM]

and again the last line is attempting kinit for realm

Thanks,
Rakesh


On Tue, Jan 13, 2015 at 1:05 AM, Dmitri Pal d...@redhat.com wrote:

  On 01/12/2015 12:55 PM, Rakesh Rajasekharan wrote:

  This is the full log,

 Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info
 message: Password expired. Change your password now.
 Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for hq-testuser
 from 10.5.68.184 port 54048 ssh2
 Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session
 opened for user hq-testuser by (uid=0)
 Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user
 hq-testuser does not exist in /etc/passwd
 Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user
 hq-testuser does not exist in /etc/passwd
 Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password
 change failed for user hq-testuser: 22 (Authentication token lock busy)
 Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from
 10.5.68.184: 11: disconnected by user
 Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session
 closed for user hq-testuser


  Does it happen for all users or only

Re: [Freeipa-users] freeipa authentication token manipulation error

[Rakesh Rajasekharan]

This is the full log,

Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info
message: Password expired. Change your password now.
Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for hq-testuser
from 10.5.68.184 port 54048 ssh2
Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session
opened for user hq-testuser by (uid=0)
Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user
hq-testuser does not exist in /etc/passwd
Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user
hq-testuser does not exist in /etc/passwd
Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password
change failed for user hq-testuser: 22 (Authentication token lock busy)
Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from 10.5.68.184:
11: disconnected by user
Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session
closed for user hq-testuser


 Does it happen for all users or only users that you migrated?
Yes it happens for all, I created a new user ( hq-testuser) is  a fresh one
that I created.

I found a workaround for this , users are able to successfully change the
password by connecting to the IPA master server.
So, its only  the ipa clients that have the issue.


Thanks,
Rakesh

On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote:
  under /var/log/secure.. have this error
  passwd: pam_sss(passwd:chauthtok): Password change failed for user
  hq-testuser: 22 (Authentication token lock busy)

 It looks like the log was trucated, can you post more context?

 Authentication token lock busy usually means the kadmin servers were
 offline..

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] freeipa authentication token manipulation error

[Rakesh Rajasekharan]

Hi,

I am having some issues with freeipa. Whenever  I change the password for
any user,
He is not able to change the password. and he gets error authentication
token manipualtion error

Changing password for user hq-testuser.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error


I was able to get this running on another environment not sure whats went
wrong here.

I have migrated my exisitng users from openldap .

Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project